Library Header Image Library Header Image

Cyber at the Top Turning Cyber Risk into Business Language


Posted on by Hugh Thompson

Cybersecurity leaders are experts in defending complex environments, managing incidents, architecting resilient systems, and outmaneuvering sophisticated adversaries. Yet when the conversation shifts from threats and controls to profit margins, capital allocation, and financial statements, many find themselves on less familiar ground. That gap puts them—and the cybersecurity industry—at a disadvantage. When cyber risk cannot be expressed in clear business and financial terms, it becomes harder to influence executive decisions, justify investments, and create best practices across organizations. For our profession to continue to evolve, the ability to quantify cyber risk and translate it into business language is essential.

In a recent episode of the Cyber at the Top podcast, I spoke with Mathias Buecherl, Group CISO of Heidelberg Materials. His CISO role extends beyond the traditional boundaries of security to also include enterprise digital risk, resilience, and business continuity, bringing risk discovery and risk treatment together under the same organization. The result is a more scalable and cost-effective approach to managing digital risk. Mathias is a strong advocate for cyber risk quantification and elevating the CISO’s voice in the C-Suite, and our discussion explored why quantifying risk can be so challenging, why it matters, and how cyber leaders can begin the journey. 

Why Cyber Risk Has Been Difficult to Quantify

According to Mathias, the reason cyber risk has historically been difficult to quantify lies across three dimensions: people, process, and tools. Cybersecurity has long been rooted in technology and operations, and many of its leaders were never trained to think in financial terms. At the same time, CISOs were often positioned within IT, with limited exposure to business value discussions or Profile and Loss (P&L) accountability. This is changing, but the legacy remains. On the tools side, the industry is still maturing. Frameworks, methodologies, and data models are improving, yet organizations must still navigate complexity and uncertainty. Across all three dimensions, the central challenge is the same: for the cybersecurity organization to be fully understood and supported, cyber risk should be expressed in a way the business understands.

Quantification Creates Standardization and Business Alignment

Most mature professions rely on a common set of metrics. In cybersecurity, however, metrics reporting is often inconsistent. We measure operational indicators like coverage, detection time, containment speed, and compliance scores, yet these rarely translate cleanly into business impact. Board members, who often serve across multiple industries, expect clarity and comparability. They think in terms of revenue, profitability, and market position. When cyber metrics cannot be connected to those outcomes, communication suffers and cyber leaders struggle to get the support they need from their boards and leadership teams. Linking them to business value ensures leaders can make better, more informed choices together.

When cybersecurity investment is expressed in financial and risk terms, the conversation changes. Cyber programs become understandable to a broader audience, and alignment improves across leadership. Within cyber teams, quantification introduces discipline and forces clarity about where resources are going, what risk is being reduced, and what value is being created. In an environment where security budgets are always constrained, decisions must be grounded in business cases. It also enables benchmarking across companies. Mathias explained that board members often ask how their organization compares to peers, how others allocate resources, and whether spending levels are justified. Without quantification and standardization, those questions are difficult to answer.

How CISOs Can Begin the Journey

For CISOs beginning the journey toward risk quantification, the most important step is ownership. CISOs must set the direction, invest in their own learning, and embed financial thinking into their organizations. Education plays an important role in this transformation. CISOs must understand the business deeply if they want to communicate in business terms, and they must also help others understand cyber risk in clear, simple language. It's a cultural shift that requires strong leadership.

In some cases, quantification can reveal uncomfortable truths, such as misaligned investments, areas of overspending, or the need to pivot strategy. Yet the benefits are significant. CISOs gain stronger control over their programs, clearer justification for investment, and often greater access to funding because the business case is explicit. Boards and leadership teams tend to welcome clarity. When risk is expressed in meaningful terms, they are better equipped to guide and govern.

The Path Forward

Cybersecurity is steadily moving from the server room to the boardroom. As it does, our language must evolve. Quantifying cyber risk in business terms strengthens decision-making, elevates the role of the CISO, and ultimately advances the maturity of our entire profession. To hear my full conversation with Mathias, watch the video here.

Contributors
Hugh Thompson

Executive Chairman & RSAC Conference Program Committee Chair, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs