RSAC Podcast Summary

Episode: Cyber at the Top: Risk Quantification: Turning Cyber Risk into Business Language
Date: February 5, 2026
Guest: Matthias Boucher, Group CISO, Heidelberg Materials
Host: RSAC

Overview

This episode explores how Chief Information Security Officers (CISOs) can effectively quantify cyber risk in financial terms to gain buy-in from business leadership and boards. Drawing from first-hand experience at Heidelberg Materials, Matthias Boucher discusses the evolution from technical, ad hoc reporting to standardized, value-driven metrics that help cybersecurity become a business-enabling force. The conversation unpacks challenges in the discipline, the power of standardization, education for both CISOs and boards, and practical strategies for newcomers to risk quantification.

Key Discussion Points & Insights

1. The Evolving CISO Role & Organization Structure

[01:34] Matthias’ Unique Setup:
- Heidelberg Materials operates in 51 countries, $25B company, 50,000 employees.
- Boucher’s CISO role includes enterprise digital risk—blending SOC, security awareness, consultancy, and business continuity:
  
  “This gives us the possibility to really handle digital risk...from risk discovery to risk treatment, all in one organization.” – Matthias [01:47]
- Passion for resilience and education; board member of the FAIR Institute.

2. Why Is Cyber Risk Challenging to Quantify?

[03:20] Three Dimensions: People, Process, Tools
- People:
  Most CISOs come from technical backgrounds and aren’t comfortable with financial language.
  
  “For a lot of CISOs...talking in million US dollar is not their home turf.” – Matthias [03:38]
- Process:
  CISOs embedded in IT often lack exposure to value-driving business processes and P&L responsibilities; missing integration with enterprise risk management.
- Tools:
  Modern tooling exists, but methodology and understanding must come first:
  
  “A fool with a tool is still a fool.” – Matthias [05:31]
Takeaway:
True quantification requires bridging gaps in people, process, and tools, not just technology.

3. The Need for Standardized, Business-Oriented Metrics

[07:06] Comparison to Other Functions:
- Other C-suite functions (e.g., HR) report with universal, easily understood KPIs; cybersecurity often defaults to technical jargon (EDR coverage, mean time to detect).
  
  “Every real profession has standardized clear metrics...security, we see a different picture.” – Matthias [07:12]
Impact on Board Communication:

“You lose a big opportunity...when you need a lot of explanation and engagement to explain the value of a KPI, it's mostly not a fitting KPI.” – Matthias [08:28] “CISOs are technically good in more operational KPIs but worse in business KPIs.” – Matthias [09:54]
Link to Business Outcomes:
- Security investments must clearly map to financial impact—e.g., “10¢ on the dollar” rationale.

4. Translating Cyber Investment into Board Language

[11:14] Making Cyber a Business Conversation:
Quantification bridges operational KPIs and business priorities, enabling informed decisions and broader support.

“Translating your programs into known KPI is a big plus...you can talk to a broader audience.” – Matthias [11:22]
[12:08] Prioritization with Metrics:
- Cyber risk quantification enables business-case-driven resource allocation:
  
  “Why not putting also hard numbers and skin in the game here?” – Matthias [12:43]
- Benchmarking against competitors further validates investment and ROI.

5. The Central Role of Education

[15:38] Organization-wide Upskilling:
- CISOs must both educate themselves about business fundamentals and train the board in cyber risk context.
  
  “Education is extremely important...Complexity is really the enemy here.” – Matthias [15:42]
- Cyber and resilience should become “core job contributing skills.”
- The value chain is only as strong as its weakest link (e.g., third-party risk).
  
  “Security and resilience is tightly linked to risk...your whole organization has to carry.” – Matthias [16:57]

6. Getting Started with Risk Quantification

[19:39] The CISO Must Lead:
- Can't delegate risk quantification; requires personal engagement and upskilling.
  
  “You can't delegate this topic. It needs you as a CISO and as executive sponsor and leader.” – Matthias [19:42]

7. Overcoming Resistance

[20:28] Three Stakeholder Groups:
- CISO Peers:
  - Divided: some skeptical, some unsuccessful in attempts. Need to share learnings openly.
  - Quantification can reveal uncomfortable truths about past investments but leads to greater flexibility and clarity.
  “I can tell you it's totally worth it because what I overcame...I'm not struggling to go for budget with the board of directors because I have such a clear business case behind the initiatives.” – Matthias [22:41]
- Board of Directors:
  - Welcomed financial quantification, no resistance.
  “No resistance at all. This is highly appreciated...because this is the numbers they understand.” – Matthias [23:18]
- Internal Teams:
  - Initial discomfort, especially for technical team members, but overcame with clear templates and engagement.
  “They started more as followers...now I see them leading, which makes me very proud.” – Matthias [24:36]

8. Applying the Methodology to Emerging Risks (e.g., AI)

[26:47] Quantification for New Initiatives:
- The same principles apply—security becomes a standard part of new business cases, including AI rollouts.
  
  “We modeled those things and we got quite a sizable AI security program out of that...you are able to justify a case and you speak the same language as the cfo, as the cto, as the CEO.” – Matthias [27:41]
- Start simple (“crawl before you run”) and build model sophistication over time.
  
  “Don’t be afraid. It’s not just historical data, it’s always looking into the future and helping you.” – Matthias [28:45]

Notable Quotes & Moments

“A fool with a tool is still a fool...always encourage my peers, look into the methodology and the value first and then look at the tool landscape.” – Matthias [05:31]
“When you need a lot of explanation and engagement to explain the value of a KPI, it's mostly not a fitting KPI.” – Matthias [08:28]
“CISOs are technically good in more operational KPIs but worse in business KPIs...this enables non tech or SEC savvy board members for understanding.” – Matthias [09:54]
“Why not putting also hard numbers and skin in the game here? ... why not do it by a clear business case?” – Matthias [12:43]
“You can't delegate this topic. It needs you as a CISO and as executive sponsor and leader.” – Matthias [19:42]
“No resistance at all [from the board]. This is highly appreciated...because this is the numbers they understand. Give it a shot. Don't be afraid of that.” – Matthias [23:18]
“Don't forget your internal team. They are as important as the board of directors because they make those things happen. And don't be afraid, you're not going to regret it.” – Matthias [24:49]
“Even in very, very new and very innovative topics, you can do a very decent modeling and you also improve the model from time to time.” – Matthias [28:34]

Suggested Listening Timestamps

[01:34] – Matthias on his unique role & organizational structure
[03:20] – The three dimensions of why cyber risk is hard to quantify
[07:06] – The case for standardized metrics and the HR comparison
[12:08] – Risk quantification drives prioritization and resource allocation
[15:38] – The foundational importance of education at all levels
[19:39] – For newcomers: the CISO must own and lead this journey
[20:28] – Experiences overcoming resistance from peers, the board, and teams
[26:47] – Using risk quantification for AI and net new initiatives

Tone & Style

The episode strikes a pragmatic and encouraging tone. Matthias blends candid admission of challenges with strong advocacy for quantitative, business-driven metrics in cyber. Both the host and guest emphasize simplicity, clarity, and leadership-by-example.

Key Takeaways for Listeners

Cyber risk quantification is essential for CISOs seeking credibility with business leaders.
The true shift requires new skills, new metrics, and CISO ownership—not just tools.
Standardized, financial KPIs for cyber allow comparison, prioritization, and buy-in.
Education is needed at all levels—from boardroom down to technical teams.
Resistance is normal, especially among peers and internal teams, but can be overcome.
The approach applies as much to new risks (AI, digitalization) as traditional threats.