I joined McKinsey’s Risk practice as an intern in 2014. We advise clients on mainly on credit, market, and operational risk-related issues. At the time, my experience and interests were about as far away from cyber-attacks and data breaches as possible. However, I remember a partner saying to me that spring that “suddenly, all chief risk officers wanted to talk about cyber risk.”
When I re-joined the firm full-time as a risk analyst in Frankfurt in 2016, the world had changed. Cyber risk had climbed on every board’s agenda, and the opportunities to have a real impact by managing this risk for clients was growing. Almost all companies are exposed to cyber risk, given extensive use of electronic data and IT/OT systems.
Given these developments, I decided to focus on cyber risk. I connected with internal McKinsey experts in the subject, read entry-level literature and attended conferences to learn. After a while, I started supporting clients by doing research, such as a comprehensive analysis of cyber risk attack developments. I published my insights on our firm knowledge platform and became a main point of contact on cyber risk. I realized it has immense benefits to be at the forefront of a topic; the opportunities to gain deep content expertise are just manifold. Being an expert puts me in an entrepreneurial position; I get to improve existing frameworks and invest new solutions. I’m always learning, as I seek to answer the many different questions my colleagues and clients ask me. It’s rewarding to be known for something, and it’s exciting to be in such a fast-paced environment.
What surprised me most about cyber risk is that it is much more than just IT risk. It’s an enterprise, strategic, and organization-wide risk. Hence, to work as a cyber risk analyst, you don’t need to be a techie. I have a business degree with a focus on management. Bringing together people with different backgrounds and perspectives is one of McKinsey’s strengths and a big part of why we’re able to help clients develop the best possible strategies to mitigate risk.
From a more personal perspective, McKinsey will also support you on your learning journey if you want to obtain certifications. For example, I am finishing my FRM (Certified Financial Risk Manager by GARP) and next, I’ll go for additional cyber risk certifications, such as the CSX and CISM by ISACA.
Cyber risk has become a pillar within our Risk practice, and I expect cyber risk management to grow to something even more exciting. Cyber threats, data storage on the cloud, mobile devices, social media, the Internet of Things (IoT), artificial intelligence applications and privacy regulation all relate to the world of cyber risk and are part of our daily work. As the importance of these factors rise, the future for cyber risk and a professional career in this field remains promising.