Cyber Risk Quantification — a valuable tool for today's CISO

Cyber defence has traditionally been a primarily abstract exercise. The Chief Information Security Officer (CISO) is charged with protecting the organisation against relatively nebulous and undefined threats.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

You know the danger is lurking somewhere, but can’t quite define the risk in concrete or tangible terms.

Technology has become essential for every aspect of business operations and cyber threats have become increasingly common and costly to manage. CISOs are expected to contribute materially to business resilience and growth.

Because of this shift toward more strategic expectations, the CISO must translate cyber security into business language to make it relevant across the entire organisation.

Cyber Risk Quantification (CRQ) has emerged as a valuable tool for doing just that— defining and articulating risk in financial terms. It’s powering decision making whilst providing greater understanding of the return on investment, thus making the organisation more cyber resilient.

More than just a “nice to have,” CRQ is becoming necessary for many organisations as boards, governments, and regulatory bodies push for greater accountability. For example, the UK government is suggesting organisations treat cyber risk the same way they would financial or legal risk, complete with a proposed code of practice for governance.

CISOs understand the risks and implications but communicating them clearly to the rest of the organisation can be challenging.

How to use CRQ effectively:

DO communicate the risk in financial terms. 

Business leaders make decisions based on business metrics. You need to contextualise risk in a language (numbers) they can understand, not traffic lights and pie charts. Cyber security is a business function that needs to be managed, just like innovation or technology. We invest in tools to manage risk and optimise performance in those areas—cyber security should be no different.

DON’T scaremonger.

Present evidence of risks and impacts from breaches, but also recognise that the executive team or board of directors is trying to balance the entire organisation’s needs. You want them to take cyber risks seriously, but an overzealous approach can result with you looking out of touch with business realities.

DON’T get too technical. 

Your fellow execs and board of directors may not need (and probably don’t want) to hear the technical details of which tactics the latest threat actors are deploying. They just need to know the likelihood of an attack, the potential for damage, and whether your organisation is equipped to prevent it. 

Consider employing a traditional 5x5 risk matrix. If the potential impact of an event is significant but unlikely, you’ll naturally have a harder time getting buy-in. But if the impact is existential, you’ve got a compelling case.

DO point out the risk of doing nothing. 

By doing nothing, what vulnerabilities are you leaving exposed? Are there regulatory compliance issues? Are you risking new business? Are you putting customer data at risk? Decision makers must know the consequences of inaction.

DO explain personal liability. 

CISOs and other company leaders may be (and have been) held personally liable for a breach when it’s been found they were aware of vulnerabilities and either chose not to act or covered them up. You must have a legal strategy for cyber incident response, including prioritising integrity and recognising that anyone suspected of obfuscation or misrepresentation can be held personally accountable.

DON’T promise to eliminate all risks. 

This is completely unrealistic and it’s undesirable. Every business needs to take on a certain amount of risk to function and be innovative. An acceptable level of operational risk allows you to push boundaries and compete, but it shouldn’t restrict ingenuity the point of paralysis. Leaders understand risk-benefit analysis, so quantify your risk in these terms and decide what level you’re willing to tolerate.

Supporting CISOs with cyber risk management expertise

Are you looking to reach the next level of cyber maturity? 

NCC Group is currently supporting clients with Rapid CRQ Assessments. It combines their 30+ years’ cyber expertise with AI-fuelled insights to benchmark risk levels across people, processes, and technology. You are given actionable insights and mitigation support, as well as a clear, data-powered method to communicate your cyber risk management to anyone who wants to know and further validate your strategic investments.