Alan Katt
Co-founder and CEO, SeCore
Basel Katt
Co-founder, SeCore, Professor at NTNU Gjøvik, Head of Department of Information Security and Communication Technology
Organisations that take a quantitative approach to cyber security can affordably prioritise remediation efforts, while genuinely reducing their overall cyber risk.
Recent high-profile breaches have affected UK organisations. Why do these happen even where compliance requirements are met?
Alan Katt: Compliance isn’t the same as security. Most compliance frameworks are designed to confirm that certain controls exist at a specific point. They don’t measure how exposed an organisation is as systems change, suppliers are added or attackers adapt methods.
Many recent breaches haven’t occurred because organisations ignored compliance, but because risk accumulated across interconnected systems, third parties and cloud environments. Without a way to measure how those risks interact or escalate, organisations can appear compliant while still being highly exposed.
What does a “quantitative” approach to cybersecurity mean?
Basel Katt: Quantitative cybersecurity means moving away from subjective judgment and long technical reports, and toward measurable, comparable insight. Rather than simply listing vulnerabilities or controls, we focus on measuring likelihood, impact and overall exposure. This allows risk to be expressed in terms business leaders understand — prioritisation, trade-offs and outcomes — rather than technical detail.
For business leaders, this matters because cyber risk becomes something that can be quantitatively measured, managed and tracked over time, much like financial or operational risk. It supports better investment decisions, what to fix first and how to demonstrate improvement in a defensible way.
How can organisations prioritise remediation efforts to reduce overall risk?
AK: One of the biggest challenges facing organisations is knowing where to start. Most security teams are presented with long lists of issues, many of which look urgent. We help organisations prioritise remediation by quantifying assurance and risk, not just identifying issues.
We look at what controls are in place and, simultaneously, where potential vulnerabilities exist. We then quantify the findings in terms of business impact and how that issue connects to other weaknesses. This means remediation is focused on actions that reduce overall exposure, rather than fixing issues in isolation. The result is more efficient use of time and budget and measurable reductions in risk.
AI and automation are increasingly shaping cybersecurity. How are you using these technologies today, and how will they influence your platform?
AK: AI and automation are essential for keeping pace with how quickly environments and threats change, but they need to be applied practically. Our platform uses automation to support more accurate and frequent assessments, identify changes in exposure as systems evolve and improve the speed at which risk can be analysed and prioritised. This approach was recently recognised when SeCore was named winner of the AI and Automation category at the Envestors Innovator Awards.
AI helps us surface what matters most, rather than overwhelming teams with raw data. Looking ahead, these capabilities will allow organisations to move toward more continuous assurance, while still relying on human expertise for judgement, validation and remediation.
Quantitative cybersecurity means moving away from subjective judgment and long technical reports, and toward measurable, comparable insight.
How do frameworks such as ISO 27001 fit into today’s security and compliance landscape?
BK: They remain important because they provide structure, consistency and a recognised baseline for managing information security. However, they’re most effective when treated as a foundation rather than an endpoint. Certification alone doesn’t show how exposed an organisation is in practice, or how risk is changing between audits. Quantitative assurance complements frameworks like ISO 27001 by providing ongoing visibility into exposure, helping organisations obtain evidence that controls exist — and that they’re effective in reducing real-world risk.
How do you expect organisations’ approach to cyber risk and assurance to evolve over the next few years?
BK: While standards and compliance will continue to be essential, we expect a continued focus away from static, compliance-only approaches toward measured, evidence-based assurance. Cyber risk will increasingly be discussed at the board level, supported by quantitative insight rather than technical reporting. Automation and AI will play a role in enabling more frequent assessment, while human expertise remains critical for interpretation and response.
