Effective strategies for turning cyber risk data into business insights
'In today's AI-driven landscape, traditional methods of manually gathering technical cyber data points and attempting to report the same information to various audiences across business, technology, and cyber leaders are no longer effective,' says Ajay Arora, a managing director with Deloitte & Touche LLP. 'Organisations should embrace advanced analytics and tailored communication strategies to confirm that cyber risk insights are meaningful and actionable for each stakeholder group.'
'Board members are asking whether the company is exposed to cyber risks that they're reading about in the newspapers,' says Raj Mehta, a partner with Deloitte & Touche LLP. 'Many CIOs and CFOs are asking whether company investments in cyber security capabilities are aligned with the industry and peers. And regulators and auditors are asking whether the organisation has put the right tools and processes in place.'
As the face of cyber security for the organisation, chief information security officers (CISOs) face multiple challenges when it comes to answering these questions, be it the manual nature of data collection, the complexity of generating meaningful analytics or differing opinions and comfort levels when it comes to risk representation.
'Risk decision-making around cyber should be as credible, defendable, and trustworthy as financial statements,' says Ajay Arora, a managing director with Deloitte & Touche LLP. 'Finance teams collect data that is spread across different tools and processes in the organisation, and there is a clear methodology, framework, and understanding of what statements and reports like a balance sheet and a P&L are. That enterprise-wide understanding does not typically exist in cyber today, but it is where the industry is going.'
To get to the point where cyber is a standard part of the general business lexicon, it is essential for an organisation to develop a common assessment methodology for the risk-relevant data generated by cyber security tools and processes.
'Risks can then be quantified by consolidating and normalising data for processing through a common risk model,' says Mehdi Houdaigui, a principal with Deloitte & Touche LLP. 'The output of the model is then used for the purpose of creating detailed analyses across business units, regions, and functions in a way that is meaningful to different audiences.'
Below are three strategies to consider when building a foundational and trustworthy cyber reporting capability that enhances understanding for stakeholders.
Build a scalable cyber analytics foundation
The first step is to understand the audience and their use cases. Consider separating stakeholders into broad categories — for example, the cyber team, the IT team, and an extended business category — and then segmenting those categories further into different levels, such as executive, management, and operational.
When it comes to building a cyber analytics foundation, the first element to put into place is a metrics framework that incorporates the appropriate key risk indicators (KRIs), key performance indicators (KPIs), and the underlying data points to support each. For example, a reporting program that indicates workforce cyber resilience by identifying trends in failed phishing tests, or data loss event resolution. It might also provide supply chain risk intelligence by focusing on program governance and assessment coverage and remediation.
'To run a cyber metrics and reporting program, organisations will need to continually analyse the data sets collected from their portfolio of cyber and technology tools,' says Stephen Gathman, a manager with Deloitte & Touche LLP. 'From those data sources, an effective set of risk indicators can be produced as a foundation for communicating cyber-induced business risks,' he explains.
Next, using standard risk scoring methodologies, data transformation, and advanced techniques (such as AI and machine learning), develop a risk engine that can take cyber data feeds and translate them into indicators of business risk.
Once these foundational capabilities are in place, the organisation can work on maturing capabilities in three areas: effective storytelling that is customised to particular audiences, translating technical cyber risk into both business risk and financial terms, and linking the cyber strategy to the business strategy.
Confirm trustworthy data quality, models
Technology and application teams must parse through vast amounts of cyber data to address risks, which can lead to uncertainty in prioritisation of risk reduction efforts. Common challenges include conflicting or redundant data gathered from multiple data sources, mixed data structures and models leading to issues when merged, varied rating methodologies and scales that can lead to confusing results, and excessive metrics tracking that can produce unclear messaging in reporting.
'It is imperative for cyber analytics teams to build trust in the quality of the risk analytics and metrics being produced from the varied data sources by implementing consistent and transparent models,' says Duncan Molony, head of Cyber Security and Data Analytics at Corebridge Financial.
Some trust-related metrics include identity and access protocols that help leaders visualise increased attack vectors, or secure application development (DevSecOps) and tracking the use of secure code repositories.
Several steps can help address these challenges and develop a mature risk model:
• Deploy a common data model that houses data from multiple sources to maximise utility.
• Normalise the common data model to remove redundancy and achieve a centralised warehouse of risk data.
• Leverage a common risk scoring methodology to enable risk aggregation over multiple dimensions, such as business units or applications.
'Traditional cyber metric bottom-up reporting and cyber risk quantification (CRQ) in financial terms are increasingly converging to provide a richer context for decision-makers,' says Molony. 'This integration allows organisations to present a more comprehensive view of cyber risks, aligning technical data with financial impacts to enhance strategic decision-making.'
The goal is to end up with data that is accurate, complete, consistent, unique, and timely. This can then be aggregated appropriately for a particular audience.
'As cyber risk reporting moves up the chain within an organisation, the scope of relevant risk metrics narrows and more data needs to be aggregated at the appropriate level for the right audience or stakeholder group,' says Tiffany Kleemann, a managing director with Deloitte & Touche LLP.
'For example, those at the operational level may need to see technical data points, whereas those in the C-suite may require information to be aggregated and presented in business terms that reflect business risk, operational resiliency and disruption, or compliance risk. As aggregation increases, it is imperative to strengthen the foundation of data governance and data quality to build and sustain trust in cyber risk reporting,' adds Kleemann.
Provide actionable risk intelligence
'In Deloitte's experience, boards and audit committees often ask questions that fit into one of two buckets: risk exposure, or readiness and resiliency,' says Arora. 'They want to know how exposed the company is to cyber risk and then how ready the organisation is to respond should an incident occur.'
A leading way to measure and illustrate cyber risk is to build a series of persona-based dashboards and composite, outcome-oriented indicators that can provide actionable insight in a way that is easily digestible. Effective reporting and dashboards gauge levels of cyber risk exposure and resilience, helping the organisation to quantify its cyber posture via frameworks such as the National Institute of Standards and Technology Cybersecurity Framework.
In addition to decision intelligence, actionable cyber reporting can be used to translate cyber risks into the business terms typically used to discuss operational disruption, reputational risk, or financial loss. 'The output also provides cyber teams with the insight to break down items by dimensions, such as business units, brands, products, or regions so the information is meaningful for the owners who drive action in the business,' says Arora.
'Being able to slice and dice the metrics by dimension is what helps make the risk intelligence actionable,' says Gathman.
By leveraging momentum from strong quantification foundations and data models, the rapid advancement in AI and data collection is slated to enable streamlined identification and potential burndown of cyber risk. By pursuing these capabilities, organisations can enhance investment value in cyber tools and capabilities, while removing ineffective processes and technologies.
Isobel Markham, senior writer, Executive Perspectives in The Wall Street Journal, Deloitte Services LP
As published by the Deloitte US Chief Financial Officer Program in the June 14 2025 edition of The Risk & Compliance Journal in the WSJ.
Disclaimer
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ('DTTL'), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as 'Deloitte Global') does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the 'Deloitte' name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2025 Deloitte Development LLC. All rights reserved.
Hashtags

Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles

ABC News
14 hours ago
- ABC News
Gwyneth Paltrow becomes Astronomer 'spokesperson' after Coldplay concert saga
Tech company Astronomer has poked fun at its recent Coldplay concert scandal by hiring band frontman Chris Martin's ex-wife, Gwyneth Paltrow, as a "temporary spokesperson". The company made headlines last week when its married CEO, Andy Byron, and HR chief, Kristin Cabot, were captured together on the kiss cam at a Coldplay concert. Martin was heard saying: "Either they're having an affair or they're just very shy." Both of them later resigned from their positions at Astronomer and the fallout made global headlines and led to a string of internet memes. Now, the company appears to be using its newfound internet fame as a promotional tool. A company video captioned "thankyou for your interest in Astronomer" opens with actor Paltrow saying: "Astronomer has gotten a lot of questions over the last few days and they wanted me to answer the most common ones." A title on the screen reads: "OMG what the actual F." "Unifying the experience of running data, ML and AI pipelines at scale," she answers. "We've been thrilled so many people have a newfound interest in data automation. As for the other questions we've received — yes! There's still room available at our Beyond Analytics event in September. Paltrow then goes on to talk about the company and its upcoming events. "Thank you for your interest in Astronomer." Astronomer was a previously obscure tech company based in New York. It provides companies with a platform that helps them organise their data. Before Ms Cabot and Mr Byron resigned, the company posted a statement on its LinkedIn and X accounts saying it would conduct a formal investigation into the pair's actions. "Astronomer is committed to the values and culture that have guided us since our founding," it said. "Our leaders are expected to set the standard in both conduct and accountability. "The board of directors has initiated a formal investigation into this matter and we will have additional details to share very shortly. "[Astronomer senior director, people] Alyssa Stoddard was not at the event and no other employees were in the video. "Andy Byron has not put out any statement, reports saying otherwise are all incorrect." The company did not mention the Coldplay concert in its statement. It instead referred to an "event" and used careful, vague wording like "this matter". Now, it appears the company has embraced the reason for its sudden fame and, perhaps in an intentional move, picked Paltrow because she is Martin's ex-wife.

News.com.au
15 hours ago
- News.com.au
‘What the actual f**k': Coldplay frontman's ex, Gwyneth Paltrow, appears amid kissgate drama
Coldplay singer Chris Martin's ex Gwyneth Paltrow became a 'temporary spokesperson' for Astronomer after its former CEO was caught having an alleged affair with another employee. Andy Byron, the married CEO of software company Astronomer, was publicly outed cosying up to his co-worker Kristin Cabot after footage of them caught in an embrace at the concert went viral around the world. Byron has since resigned from his high-profile role while Cabot, who is also married, has also left the company. Now, in a bid to deflect from the negative press, Astronomer has given a satirical response with the help of Oscar winner Paltrow, who says she has been hired on a 'very temporary basis' to represent the 'more than 300 employees' at the company. She said that she had been asked to answer some serious questions that the world has had for the company ever since Coldplaygate. 'Hi, I'm Gwyneth Paltrow,' she begins. 'I've been hired on a very temporary basis to speak on behalf of the 300-plus employees at Astronomer. Astronomer has gotten a lot of questions over the last few days, and they wanted me to answer the most common ones.' At this, a question is typed on screen: 'OMG What the actual f.' 'Yes,' Paltrow replies while deadpan, saying: 'Astronomer is the best place to run Apache Airflow, unifying the experience of running data ML and AI pipelines at scale.' 'We've been thrilled so many people have a new-found interest in data workflow automation,' she adds. The attempt at rebuilding the company's public image comes after Byron resigned from his job as the firm's CEO last week. 'As stated previously, Astronomer is committed to the values and culture that have guided us since our founding. Our leaders are expected to set the standard in both conduct and accountability, and recently, that standard was not met,' a rep for the tech company said on Saturday. 'Andy Byron has tendered his resignation, and the Board of Directors has accepted. The Board will begin a search for our next Chief Executive as Cofounder and Chief Product Officer Pete DeJoy continues to serve as interim CEO.' Then, just days later, it was revealed that Cabot had followed suit and left the company. 'I can confirm that Kristin Cabot is no longer with Astronomer, she has resigned,' a spokesperson for the company told Page Six. Byron, who is estimated to have a net worth of $A76 million, is married to a woman named Megan Kerrigan Byron, who has since removed his last name from her Facebook and deactivated her social media accounts.

ABC News
17 hours ago
- ABC News
Jerome Powell fact-checking Trump has gone viral. What's the backstory of their feud?
It's been likened to a scene in comedy series The Office — US President Donald Trump being fact-checked by a disgruntled man in a suit and a hard hat. But there's more to awkward exchange than a new meme format. Here's the backstory of the video and why the pair's disagreement speaks to a serious issue in the US. That's Jerome Powell, the chair of the US Federal Reserve. The US Federal Reserve — which is often called "the Fed" for short — is the American equivalent to the Reserve Bank of Australia (RBA). It's America's central bank, an institution tasked with regulating the finance sector, keeping the US economy in check and tackling inflation. And part of that role is setting the target range for what's called the federal funds rate — a figure that influences the interest rates US banks charge customers. The key thing about the Fed is that it's a separate entity from the US government, so it's not subject to the whims of whatever party is in power. Mr Trump and Mr Powell are touring the Federal Reserve Board building, which is currently undergoing renovations, in Washington DC. This tour came after Mr Trump's administration criticised the renovation project as "ostentatious". The long-running renovation project was originally costed at $US1.9 billion ($2.9 billion), but the Fed says that went to $US2.5 billion. During the tour, Mr Trump said the project's cost "went up a little or a lot" and was costing "about $US3.1 billion". But Mr Powell shook his head, saying he had not heard those figures from the Fed. Mr Trump then handed Mr Powell a piece of paper. "Are you including the Martin renovation?" Mr Powell said. "You just added in a third building, is what that is. That's a third building." "It's a building that's being built," Mr Trump said. "No, it was built five years ago," Mr Powell said. The awkward moment happened before a pack of reporters, so footage of the exchange quickly spread. Reposts of the video clocked up hundreds of thousands of views on X. Meanwhile, a frame of Mr Powell examining the figures became a meme format: And the virality of the moment was not helped by this interaction between the two: Mr Trump wants Mr Powell to lower the federal funds rate so that interest rates will go down in the US. In an Australian context, that would be equivalent to the prime minister asking the governor of the RBA to lower interest rates. Since April, Mr Powell has warned that Trump's policies, particularly on tariffs, could undermine the economy. He said the tariff levels were "significantly larger than anticipated" and that they could result in both lower growth and higher inflation. This would make it difficult for the Fed to react and prohibit a rate cut. In response, Mr Trump launched a tirade and called the chair a "major loser". During the heated exchange this week, Mr Trump pressed him again on lowering interest rates, telling him to "do the right thing" and slash them by 3 percentage points or more. Donald Trump has repeatedly suggested that he would "fire" Mr Powell. The Federal Reserve Act of 1913, which created the central bank, says that members of the Board of Governors, including the Fed chief, can be "removed for cause by the president". But the law does not define "cause" or lay out any standard or procedures for removal. No president has ever removed a Fed board member, and the law has never been tested in court. Several federal laws shielding members of other agencies from being removed by the president without cause say that "cause" can include neglect of duty, malfeasance, and inefficiency. If Mr Powell is fired and sues, those laws could be a guide for courts to determine if Mr Trump had cause to remove him. Last week, Mr Trump said Mr Powell had kept rates too high and would be out in eight months. "I think he's done a bad job, but he's going to be out pretty soon," he said. US Treasury Secretary Scott Bessent on Monday said the entire Federal Reserve needed to be examined as an institution and whether it had been successful. Mr Bessent, speaking with US media, declined to comment on a report that he had advised President Donald Trump not to fire Fed chair Jerome Powell. He said it would be the president's decision. But he said the institution should be reviewed, citing what he called the Fed's "fear-mongering over tariffs". He said that there had been little, if any, inflationary effect so far. Following his visit, the president walked back his comments and said that he would like the chair to resign but it would disrupt the markets if he were to remove him.