• United States




Cyber risk systems – how to get them to get it

Sep 11, 20175 mins
AnalyticsComplianceData and Information Security

A cyberrisk system should align your entire team with your effort to secure the company.

cybersecurity boards
Credit: Thinkstock

“We worry top-down. But risk assess bottom-up”

–Erik Kellogg (a play on a quote by Seth Klarman)

Why do you need a risk system?

It may seem kind of obvious, but we CISOs, and all cyber professionals, need to be able to speak to risks in a way that executives, other departments, clients, and team members will understand. Sure, it’s easy enough to run a vulnerability scan and get a 400 page report detailing every vulnerability within your network. But without a risk system in place, the priorities put on fixing those would be all wrong. For example, if you spend time and money implementing an Intrusion Detection System (IDS) but don’t change your firewalls’ default admin password, you’re risk model needs an overhaul. Boards and executives also love metrics and to be able to quantify, well…everything, including ROI on cybersecurity. Having a risk system in place, while by no means is a complete way to quantify cyber spend, is a good place to start.

There’s a real cyber risk system?

Yes, there is, and you don’t have to attend a school like Hogwarts to understand it. While our (inCyber’s) particular risk system is a proprietary model that includes factors from industry standard frameworks, regulatory guidelines, compliance issues, and cumulative independent experience, every cyber pro creates their own system given the scenario. For example, what is the core business, what regulations must you adhere to, how complex is the infrastructure? Every cyber professional will start with a standard framework and tweak certain variables for his or her own needs. This is the basis that allows us to prioritize and manage all cyber risks.

Top down, bottoms up

To have an effective risk system, we need to understand exactly what is at risk. Seems simple enough, but this goes beyond merely identifying sensitive information within the infrastructure. We need to understand the core business, how the business operates, who they business with, so on and so forth all the way down to which kind of battery back-ups are being used (if any). Without that thorough understanding of all aspects of the business you cannot properly understand and, therefore, manage your cyber risks.

Where to start? Ask simple questions

What happens if someone clicks a ransomware link? What do we do if someone is DoS-ing our firewall? Or our WiFi access points? What happens if we get an email from an investor asking to change their account information? Who do we call when we get audited by a regulator and they want more than just a copy of our policies? How do handle a vendor breach?

Now some of these are going to have simple answers with mostly predictable outcomes. The risk system comes into play when you start weighing the importance of particular pieces of infrastructure in relation to the business impact. For example, your wifi probably has a low impact on your business, but what if someone was able to get a hold of your firm’s intellectual property? This could be in the form of a private investment deal, trading code, or even hacking your web cam/microphone to record conversations. These types of questions and scenarios will help you weigh the risks appropriately in your risk system.

Deeper exposure, business impact

Now that we’ve thought long and hard about the overall exposure factors, we need to do something about them. It’s up to each cyber professional to create the measurement weightings within their model, but once that’s in place we can give them a value. It’s a relative value, but let’s not forget that the basis of this whole system is rooted in one of the industry frameworks (NICE, NIST, ISO, NERC, etc). Therefore, you can have a starting value for each category that’s relevant to the business. You can also extrapolate the amount of business impact over a few long conversations with the company CFO. What will it cost the company to be down per day? What if we can only access the internet, but not our core applications? What if we send money to a hacking group from a phishing email? What will it cost, per hour, to have the CEO deal with a cyber incident?  It may help to search the internet for past cyber events and what it cost those firms, but now with all this information you can start building your cyber risk system.

So, you’re saying there’s a chance…?

  • When a company has a proper cyber risk system in place, they have a much better chance of not falling victim to a cyber-attack.
  • Communication among board members and executives will be easier and more concise when you provide clear metrics on your cyber needs and goals.
  • You can work with the CFO to help quantify risks, thus zeroing in on a ROI when you need to spend money on additional staff, vendors, or technology.

As cyber professional’s it’s easy for us to forget that most people don’t view risks the way we do. Most executives understand there is a risk out there, but if they can’t understand it or make sense of it, they are more likely to ignore it giving it mininal attention.

Having a risk system in place is a way to bridge the gap and help people understand cyber impacts in dollars and cents, which everyone can relate to.


Erik Kellogg is the CEO of inCyber Security, a full service cyber security firm specializing in the financial industry. He has over 16 years of professional experience filling key roles from engineering to C-level working with trading firms, clearing houses, trading software companies, consulting firms, banks, hedge funds and RIAs.

Erik also had a 6-year period as a professional trader while simultaneously managing technology for a group of prop traders. Being able to understand the different sides of the financial industry has enabled Erik to protect and help his clients from a broader perspective.

The opinions expressed in this blog are those of Erik Kellogg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.