Clear and effective communication of IT risk is often the missing link between technical teams and strategic decision-makers. IT professionals may understand the complexities of threats but translating them into actionable insights that resonate with executives and boards remains a significant challenge. This disconnect can lead to organisations either underestimating potential losses or overinvesting in areas that fail to address their most pressing vulnerabilities.
To illustrate this point, let’s consider two scenarios: Bob and Alice, both CISOs in similar organisations, are tasked with presenting their IT risk landscape to their respective boards. While Bob struggles to provide meaningful answers to critical questions about risk exposure and mitigation, Alice delivers a clear, quantified analysis that empowers her board to make informed decisions. These contrasting approaches highlight the importance of moving beyond qualitative descriptions to a data-driven, quantitative perspective in IT risk communication.
Meet Bob
Bob is the CISO of a medium-sized manufacturing company with just under 300 employees. The board has asked him to present the company’s IT risk and cybersecurity posture in light of recent geopolitical developments.
Bob confidently stands up and points to the screen:
“Our IT security is solid, but there are areas where we can improve. We comply with 79 out of 83 controls and haven’t experienced an IT attack in the past year. However, the threat from cyberattacks remains very high, and the consequences could also be severe. Therefore, that risk is marked red. As you can see, the other 25 risks are either yellow or green,” he explains, pointing to the risk matrix displayed on the screen.
The first question comes:
“What does this threat mean for us? Should we expect to be hit? How expensive could it be?”
Bob hesitates… Another person asks:
“We understand that the threat is serious. How much of it can we insure against? How much money should we allocate to address this threat?”
Bob tries to respond:
“Well, we do have a cyber insurance policy that covers part of it…”
From the end of the table, someone asks:
“What about the yellow risks? How many of those can we tolerate before they become as costly as the red one?”
Bob stammers:
“That… That’s something we’ll need to investigate further, but I don’t have the figures at the moment.”
Slowly, he sits back down.
Then meet Alice
Across the street, Alice has just begun her presentation to her board. Alice is the CISO of a close competitor to Bob’s company. She starts:
“Our IT risk level is generally within our appetite. We expect an average annual loss of EUR 860,000 spread across the 26 identified risk events. This includes a pool of more likely scenarios with significantly lower costs and a few potentially very expensive events. We estimate there’s a 5% likelihood of experiencing losses exceeding EUR 2.7 million, primarily driven by the threat of ransomware attacks.”
The first question is:
“How expensive could it be for us if we’re hit by a ransomware attack?”
Alice flips through her notes:
“A ransomware scenario could occur with a 5% to 25% likelihood, and in 9 out of 10 cases, it would not cost more than EUR 1.35 million. The remaining 10% of incidents, however, could be more costly.”
From the end of the table, another question comes:
“How much would it cost to reduce the risk so that only 5% of incidents exceed EUR 1.35 million?”
Alice responds:
“With the recommended risk reduction plan we’re presenting, we expect to lower the probability of losses over EUR 1.35 million from the scenario to 7%. This plan also includes measures to reduce the likelihood of more frequent scenarios. Implementing it over the next year will cost approximately EUR 54,000 and will reduce the average annual loss from EUR 860,000 to EUR 750,000. I’d be happy to investigate the cost of reducing that probability even further and present it to you later. Achieving that would likely require more extensive initiatives and a larger budget.”
“Thank you, we look forward to hearing more. We’ll find the funds you need.”
Who do you want to be?
Through our work with quantitative IT risk assessments, we’ve met many professionals who present risk like Bob. But fortunately, we’re seeing more and more like Alice – those who understand the value of communicating IT risk to executives and boards in terms of probabilities and financial impact.
Risk is inherently complex, and no model is ever 100% precise. Yet only by modelling can we compare risks in a structured, scientifically grounded, and transparent way – providing the strongest foundation for decision-making.
Ready to communicate risk like Alice?
Explore our other articles and learn how to turn IT risk into clear, actionable insights: Knowledge – ACI Risk Measure