Free

Cyber danger to our businesses comes in unexpected forms and from unexpected directions.

To protect our businesses, we oftentimes invest in our hard outer defensive shells and sentient agents roaming our internal networks, leaving a soft technical and operational center. This duality creates an inherent weakness in both the cyber operation and risk management. Our most, objectively speaking, effective standards (NIST, FFIEC, ISO, etc.) see this weakness as being mitigated through cyclical risk assessments.

However, the single most dangerous thing I have seen grow from within the cybersecurity industry is the concept of loss leader cyber risk assessments.

The implication of loss-lead cyber marketing goes far beyond the ‘timeshare in Cancun’ remorse, it stabs at the very heart of all we are attempting to accomplish with our business risk management initiatives. As a business executive, you are all too aware that the “lead” side of any loss leader approach is determined by the sales team and is not directly tied to findings or need.

A cyber risk assessment is to give us a view that spans technology assignments and business organizations. The results should provide a roadmap to continuous improvement beyond the hard outer shell and allow us to understand the importance of complete protection and the investment therein.

Here are some guidelines for ensuring you get the most benefit from your risk assessment (to include self-assessments):

  • Inclusive of, but not limited to, your industry specific standards
  • Assessment teams incorporating your indigenous staffing
  • Not limited to IT
  • Transparency and open review of findings and methodologies used
  • Flexibility to modify approach to meet your specific business topology
  • Not tied to technology, or programs, beyond your cyber risk analysis
  • Involves people and teams, not exclusively a scanning software solution
  • Provides a clear and concise view that allows you to readily understand your strengths and weaknesses
  • Does not predict remediation amounts or dollars of exposure (has the same tinge as loss-lead)
  • Must leave your organization empowered to make your own risk judgement based on findings
  • Must provide results in business terms with actionable results

Many times Deep Run has started an engagement with a CEO, CRO or CIO saying, “I need to, objectively, know my cyber risk, and a way to incorporate it into my existing business risk models.” As a risk manager, you must ensure your risk assessments do exactly that; tell you unknown weaknesses and give you a roadmap that can be incorporated into your existing business risk methodologies. Cyber risk cannot be successfully managed as an island of risk, its inclusion in the overall business risk management is imperative and certainly cannot be considered as a loss leader by your cyber partners.


Cyber risk cannot be successfully managed as an island of risk; its inclusion in the overall business risk management is imperative.


A cyber risk partner interested in your secure future understands the foundational importance of assessing cyber risk, and will never lead you to believe it should be discounted or offered as anything less than pivotal to your cyber protection.

The business industry needs loss leader cyber assessments like a computer needs a tanning bed.

– Gary Merry, CEO