Effective strategies for turning cyber risk data into business insights

Cyber risk decision-making should be as credible, defendable, and trustworthy as financial statements. Organisations need a shared understanding of cyber data, metrics and how it ties to risk.

Isobel Markham

Organisations must build credibility and trustworthiness around cyber risk decision-making

7 min read

12:00AMJuly 22, 2025

Business stakeholders, from board members and C-suite executives to regulators and auditors, seem to be looking for answers as to how they should view cyber risk in the context of their role.

“In today’s AI-driven landscape, traditional methods of manually gathering technical cyber data points and attempting to report the same information to various audiences across business, technology, and cyber leaders are no longer effective,” says Ajay Arora, a managing director with Deloitte & Touche LLP. “Organisations should embrace advanced analytics and tailored communication strategies to confirm that cyber risk insights are meaningful and actionable for each stakeholder group.”

“Board members are asking whether the company is exposed to cyber risks that they’re reading about in the newspapers,” says Raj Mehta, a partner with Deloitte & Touche LLP. “Many CIOs and CFOs are asking whether company investments in cyber security capabilities are aligned with the industry and peers. And regulators and auditors are asking whether the organisation has put the right tools and processes in place.”

As the face of cyber security for the organisation, chief information security officers (CISOs) face multiple challenges when it comes to answering these questions, be it the manual nature of data collection, the complexity of generating meaningful analytics or differing opinions and comfort levels when it comes to risk representation.

“Risk decision-making around cyber should be as credible, defendable, and trustworthy as financial statements,” says Ajay Arora, a managing director with Deloitte & Touche LLP. “Finance teams collect data that is spread across different tools and processes in the organisation, and there is a clear methodology, framework, and understanding of what statements and reports like a balance sheet and a P&L are. That enterprise-wide understanding does not typically exist in cyber today, but it is where the industry is going.”

To get to the point where cyber is a standard part of the general business lexicon, it is essential for an organisation to develop a common assessment methodology for the risk-relevant data generated by cyber security tools and processes.

“Risks can then be quantified by consolidating and normalising data for processing through a common risk model,” says Mehdi Houdaigui, a principal with Deloitte & Touche LLP. “The output of the model is then used for the purpose of creating detailed analyses across business units, regions, and functions in a way that is meaningful to different audiences.”

Below are three strategies to consider when building a foundational and trustworthy cyber reporting capability that enhances understanding for stakeholders.

Build a scalable cyber analytics foundation

The first step is to understand the audience and their use cases. Consider separating stakeholders into broad categories — for example, the cyber team, the IT team, and an extended business category — and then segmenting those categories further into different levels, such as executive, management, and operational.

When it comes to building a cyber analytics foundation, the first element to put into place is a metrics framework that incorporates the appropriate key risk indicators (KRIs), key performance indicators (KPIs), and the underlying data points to support each. For example, a reporting program that indicates workforce cyber resilience by identifying trends in failed phishing tests, or data loss event resolution. It might also provide supply chain risk intelligence by focusing on program governance and assessment coverage and remediation.

“To run a cyber metrics and reporting program, organisations will need to continually analyse the data sets collected from their portfolio of cyber and technology tools,” says Stephen Gathman, a manager with Deloitte & Touche LLP. “From those data sources, an effective set of risk indicators can be produced as a foundation for communicating cyber-induced business risks,” he explains.

Next, using standard risk scoring methodologies, data transformation, and advanced techniques (such as AI and machine learning), develop a risk engine that can take cyber data feeds and translate them into indicators of business risk.

Once these foundational capabilities are in place, the organisation can work on maturing capabilities in three areas: effective storytelling that is customised to particular audiences, translating technical cyber risk into both business risk and financial terms, and linking the cyber strategy to the business strategy.

Confirm trustworthy data quality, models

Technology and application teams must parse through vast amounts of cyber data to address risks, which can lead to uncertainty in prioritisation of risk reduction efforts. Common challenges include conflicting or redundant data gathered from multiple data sources, mixed data structures and models leading to issues when merged, varied rating methodologies and scales that can lead to confusing results, and excessive metrics tracking that can produce unclear messaging in reporting.

“It is imperative for cyber analytics teams to build trust in the quality of the risk analytics and metrics being produced from the varied data sources by implementing consistent and transparent models,” says Duncan Molony, head of Cyber Security and Data Analytics at Corebridge Financial.

Some trust-related metrics include identity and access protocols that help leaders visualise increased attack vectors, or secure application development (DevSecOps) and tracking the use of secure code repositories.

Several steps can help address these challenges and develop a mature risk model:

• Deploy a common data model that houses data from multiple sources to maximise utility.

• Normalise the common data model to remove redundancy and achieve a centralised warehouse of risk data.

• Leverage a common risk scoring methodology to enable risk aggregation over multiple dimensions, such as business units or applications.

“Traditional cyber metric bottom-up reporting and cyber risk quantification (CRQ) in financial terms are increasingly converging to provide a richer context for decision-makers,” says Molony. “This integration allows organisations to present a more comprehensive view of cyber risks, aligning technical data with financial impacts to enhance strategic decision-making.”

The goal is to end up with data that is accurate, complete, consistent, unique, and timely. This can then be aggregated appropriately for a particular audience.

“As cyber risk reporting moves up the chain within an organisation, the scope of relevant risk metrics narrows and more data needs to be aggregated at the appropriate level for the right audience or stakeholder group,” says Tiffany Kleemann, a managing director with Deloitte & Touche LLP.

“For example, those at the operational level may need to see technical data points, whereas those in the C-suite may require information to be aggregated and presented in business terms that reflect business risk, operational resiliency and disruption, or compliance risk. As aggregation increases, it is imperative to strengthen the foundation of data governance and data quality to build and sustain trust in cyber risk reporting,” adds Kleemann.

Provide actionable risk intelligence

“In Deloitte’s experience, boards and audit committees often ask questions that fit into one of two buckets: risk exposure, or readiness and resiliency,” says Arora. “They want to know how exposed the company is to cyber risk and then how ready the organisation is to respond should an incident occur.”

A leading way to measure and illustrate cyber risk is to build a series of persona-based dashboards and composite, outcome-oriented indicators that can provide actionable insight in a way that is easily digestible. Effective reporting and dashboards gauge levels of cyber risk exposure and resilience, helping the organisation to quantify its cyber posture via frameworks such as the National Institute of Standards and Technology Cybersecurity Framework.

In addition to decision intelligence, actionable cyber reporting can be used to translate cyber risks into the business terms typically used to discuss operational disruption, reputational risk, or financial loss. “The output also provides cyber teams with the insight to break down items by dimensions, such as business units, brands, products, or regions so the information is meaningful for the owners who drive action in the business,” says Arora.

“Being able to slice and dice the metrics by dimension is what helps make the risk intelligence actionable,” says Gathman.

By leveraging momentum from strong quantification foundations and data models, the rapid advancement in AI and data collection is slated to enable streamlined identification and potential burndown of cyber risk. By pursuing these capabilities, organisations can enhance investment value in cyber tools and capabilities, while removing ineffective processes and technologies.

Isobel Markham, senior writer, Executive Perspectives in The Wall Street Journal, Deloitte Services LP

As published by the Deloitte US Chief Financial Officer Program in the June 14 2025 edition of The Risk & Compliance Journal in the WSJ.

Disclaimer     

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.  

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.  

About Deloitte  

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.  