AI is increasingly playing an essential role in cyber defence, yet every layer of automation carries both benefit and trade-off. The benefit lies in speed, scale, and consistency. The trade-off lies in the gradual displacement of human interpretation. The question is not whether automation is valuable but whether it remains an extension of human intent or becomes a substitute for it.

Earlier this year the National Audit Office (NAO) warned that Government cyber resilience isn’t keeping up with the evolving threat. Unsurprisingly, digital and cyber resilience across public sector is now under unprecedented scrutiny and the pressure to act has never been higher.

Many organisations say they want to be “cyber resilient”, but the term is often vague. At its core, resilience means ensuring the business can continue to operate despite inevitable events – cyber or otherwise. The problem is that resilience is still too often treated as an aspiration, rather than a discipline.

Is your organisation primarily using a traffic light system (red, amber, green) to manage cyber risk? You could be overlooking a crucial dimension of risk management.

As UK retailers made the press in a series of cyber-related incidents a familiar question surfaced again from colleagues - “Do we have a summary of key themes we can share with clients to support cyber conversations?”

Cyber insurance has become a staple in many organisations’ risk strategies, but its strategic value is often under-leveraged.

CRQ can’t remain a pilot forever. To drive meaningful, repeatable value, it needs to mature into a business capability: trusted, embedded, and regularly informing decisions.

Before a single scenario is modelled or a number estimated, one of first challenges in adopting cyber risk quantification (CRQ) is simply persuading stakeholders it's worth doing.

In this article, I’ll share six working principles I’ve found essential for embedding CRQ in a way that sticks — not just as a project, but as a true business capability.

What Shackleton Can Teach Us About Navigating Cyber Risk

For all the energy that organisations invest in CRQ, a frustrating truth remains: many results don't actually lead to better decisions. Quantification is a powerful tool. But like any tool, its value lies in how it’s used.

Just like the weather, Cyber Risk Quantification (CRQ) needs a standardised set of metrics. Let's explore what they can be.

Understanding the cyber threats you face and where best to invest in strengthening your cyber security is a business priority.

The digital landscape continues to evolve at an unprecedented rate, bringing forth new challenges and amplifying the urgency for robust cybersecurity measures.

Worst case sets a practical limit on what should be spent to manage/mitigate risk, most likely is what you should expect to occur, while ALE tells you how to do long-term financial planning or to think for (self) insurance.