Inside the episode: What I learned from speaking with Julian Meyrick
I’ve spent a fair chunk of my career navigating the world of “traffic light” reports. Whether it’s been in the transport sector or across various cyber security leadership roles, we’ve often found ourselves stuck with Red-Amber-Green (RAG) status updates. While they look great on a slide, they are, as Julian Meyrick and I discussed recently, fundamentally subjective.
I sat down with Julian, UK Managing Director at Eraneos, to talk about the shift from these vague reports to actually measuring the financial reality of cyber risk. He’s been a vocal advocate for risk quantification for years, and it was fascinating to hear how this approach is moving from the sidelines of tech teams into the heart of government and board-level strategy.
The problem with subjective reporting
The challenge we’ve always faced is helping business leaders understand cyber security without getting bogged down in technical jargon. The traditional RAG model often fails here because it doesn’t offer an objective analysis of business impact.
Julian put it perfectly: “You end up with way too many reds, and you actually end up probably with some greens that probably should be reds. And it’s really difficult to help the business leaders make the right business decisions as a result”.
We often lose the nuance when we abstract real data into these “buckets.” Someone might work out that a potential loss is £4.9 million versus £5.2 million, but if we simply label both as a “4” because they are near a threshold, we throw away the very detail that aids decision-making.
Lessons from the Cyber Action Plan
The government’s new Cyber Action Plan represents a major cultural and operational shift. Its first objective is better visibility of cyber security and resilience risk. By focusing on objective risk assessments, leadership can finally prioritise resources where they will have the greatest systemic impact.
What’s interesting is that this isn’t just for government departments. As Julian noted, “Every leader, every public sector organisation, every supplier has a role to play”. It’s a model that commercial businesses, especially those in the supply chain, can learn from.
Speaking the language of the board
When we talk to CISOs about presenting risks to the board, the reaction to financial quantification is usually transformative. Board members recognise financial terms; it’s the model they already use for credit, finance, and operations.
Julian shared a striking example regarding the NHS WannaCry incident in 2017. At the time, the decision was allegedly made to focus on patients rather than patching computers. Had risk quantification been used, Julian believes they could have proved a potential business risk of £20 million.
“If it is going to cost us 20 million, then I think it would have gone up and some senior people would have gone, ‘Okay, maybe we do need to invest in this.’ But obviously the next question would be, ‘And how much is it going to cost us to reduce that risk?’”. In reality, WannaCry cost over £160 million. Quantification provides a language that forces the right investment decisions, even if it cannot offer perfect prediction.
Building the business case
One of the most practical applications Julian mentioned was using risk quantification to build a business case for a UK government department. They had a long list of necessary actions, and quantification did two things: it prioritised that list and built a financial case for investment.
The feedback they received was that it was “the best business case we’ve ever seen for investing in cyber security”. By assessing annualised loss exposure, you aren’t just looking at a scary number; you are assessing the financial impact of business disruption.
This involves engaging with the people who actually run the business, from the plant managers and to the process owners. When a number comes from them, it builds massive credibility and this creates a business conversation on net cost reduction, moving away from technical teams simply requesting new tools.
The supply chain ripple effect
We cannot ignore the supply chain. Every supplier that delivers for the government holds some level of cyber risk and lately we’ve seen proactive moves from the NHS and Ministry of Defence, sending letters to supplier CEOs insisting on cyber resilience.
What organisations should focus on now is balancing the equation. Government and large organisations still retain the risk, but they are now driving resilience down through the chain. Both the customer and supplier must understand the impact of disruption, moving beyond simple box-ticking exercises or basic security policy reviews.
Final thoughts
If there is one thing security leaders should take away from this conversation, it’s that we must move away from subjective reporting and we need to measure the financial impact of cyber on core business processes.
The risk landscape is constantly evolving due to geopolitics and the unfortunate profitability of ransomware and it’s not going away. But by treating cyber security as a quantifiable business risk rather than a technical silo, we can finally make the investment decisions that actually matter.
