Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression “there is no such thing as IT risk. There is only business risk.”
Yet, people still talk about quantifying cyber risk in a silo.
They talk about “risk to information assets” instead of risk to the achievement of business objectives.
Cyber is just another business risk.
It needs to be quantified in a way that:
- Enables leaders to decide whether to make further investments in cyber at the expense of investing in marketing or new product development.
- Helps people consider cyber as one of the several risks relevant to their business decision.
Remember:
- Money doesn’t grow on trees. An investment in one area means those resources cannot be used in another.
- Decisions have to consider several sources of risk, not just one. Deciding what to do about each risk separately, in a silo, is not the best way to run a business.
A recent post in Intelligent CISO makes some good points before failing.
- Despite increasing investment in cybersecurity, a new 2025 Qualys report reveals that most organisations still struggle to link cyber risk to real business impact—leaving boardrooms with a blind spot in decision-making.
According to the State of Cyber Risk Assessment 2025 report by Qualys in partnership with…
