Skip Navigation
Play Video
Behind the Growth

What Businesses Get Wrong About Cyber Risk

Listen
Listen on Apple Podcast
Listen on Spotify
Listen on Audible Podcast
Listen on Pandora Podcast
Share
LinkedInFacebookTwitter

Episode Summary

Roman Itskovich, Co-founder & CRO at At-Bay, joins Mudassar Malik on Behind the Growth to unpack how cyber risk has evolved into a primary business risk—and why traditional approaches to managing it are no longer sufficient. Roman traces his path from military and fintech into cyber, highlighting how increasing reliance on technology has shifted risk from the periphery to the core of enterprise operations.

He explains why cyber risk behaves differently from other forms of risk. Unlike static business risks, technology environments are constantly changing, and so is the level of exposure. That shift requires a fundamentally different approach—one that goes deeper than surface-level indicators like industry or revenue, and instead focuses on understanding the underlying technology stack in detail.

Roman introduces At-Bay’s “insure-sec” model, which combines insurance with active security. Rather than simply underwriting risk based on limited inputs, this model continuously evaluates and improves a company’s security posture. He breaks down the two principles behind this approach: the need for technical visibility to assess risk accurately, and the ability to actively intervene to reduce that risk over time.

The conversation highlights how this model changes the role of insurance—from a static transfer of risk to a more dynamic system that informs better decisions. For enterprise leaders, it reframes how to think about cyber risk, not just as something to mitigate, but as something that can be measured, managed, and priced with greater precision.

Featured Guest

  • Name: Roman Itskovich
  • What he does: Co-founder & Chief Revenue Officer
  • Company: At-Bay
  • Noteworthy: Roman Itskovich is the Co-Founder and Chief Risk Officer of At-Bay, the InsurSec provider for the digital age. Before At-Bay, he was VP of Financial Products at Ebury, served on the investment team at Bain Capital, and consulted at McKinsey & Company. Roman also holds an MBA from Harvard Business School.

Connect on Linkedin

Key Insights

Cyber risk is now a primary business risk driver
As organizations rely more heavily on technology to run core operations, the risk associated with that technology becomes the dominant risk to the business itself. This shifts cyber risk out of IT and into the center of enterprise decision-making. Leaders can no longer treat cybersecurity as a technical issue managed in isolation. It directly affects continuity, revenue, and long-term resilience. This means reframing how risk is assessed and discussed, elevating it to the same level as financial or operational risk, and ensuring it is understood and acted on across the organization.

Understanding the technology stack is critical to assessing risk
Traditional approaches to risk rely on high-level indicators like industry, revenue, or company size. In cyber risk, those signals are not sufficient. What matters is the specific technology a business uses, how it is integrated, where it sits, and how it operates. Without that level of visibility, risk cannot be accurately assessed. This introduces a more demanding but necessary requirement: deeper insight into their own technology environments. It also changes how risk is evaluated externally, particularly by insurers or partners, and reinforces the need for tighter alignment between engineering, security, and risk functions.

Cyber risk is dynamic and can be actively reduced
Unlike many traditional risks that remain relatively static over time, cyber risk is constantly evolving based on changes in technology and how it is used. This creates both complexity and opportunity. Organizations are not locked into a fixed risk profile; they can actively intervene to improve their security posture. That shift changes the role of risk management from passive assessment to continuous improvement. This means investing in capabilities that allow ongoing monitoring and adjustment, rather than relying on periodic reviews, and treating risk as something that can be shaped in real time rather than simply transferred or accepted.

More companies in the US go out of business because of a cyber attack than because of all other property perils combined.

Episode Highlights

From Tech Risk to Business Risk

Roman connects the rise of cyber risk directly to how businesses operate today. As companies embed technology deeper into their core functions, the exposure tied to that technology becomes inseparable from business performance. This reframes cyber from a support function concern into something that directly impacts enterprise value and continuity.

“As businesses use more and more technology as a core part of their operation, the risk to technology becomes the main risk to business.”

A Risk That Keeps Growing

Roman challenges the idea that cyber risk will plateau or stabilize. Instead, he frames it as a function of increasing technological dependence, making its trajectory predictable. The more digital an organization becomes, the more central and unavoidable this risk becomes.

“Are business going to be using more technology in the future or less? And the answer to that is pretty clear. So this risk becomes much more significant.”

Cyber Risk Is Not Well Understood

Drawing from his experience in financial markets, Roman highlights how immature cyber risk still is compared to other risk categories. It lacks clear pricing models and consistent understanding, which creates both uncertainty and opportunity for new approaches to emerge.

“This is a completely new risk. It’s not well understood. It’s not well priced.”

Insurance Needs Technical Depth

Roman explains why traditional insurance models fall short in cyber. High-level indicators like industry or revenue don’t provide enough signal. Instead, understanding risk requires deep visibility into the actual technologies a company uses and how they are implemented.

“To understand cyber risk, you need to understand the technology that is at risk.”

Cyber Risk Is Not Static

Roman contrasts cyber risk with more stable forms of risk, pointing out how both the threat landscape and internal systems are constantly evolving. This makes cyber fundamentally dynamic—and importantly, something organizations can actively influence.

“Cyber is dynamic. So what technologies are good or bad changes over time, but also you can intervene and change your technology in a way that makes it much more secure.”

Get new Behind the Growth episodes — right in your inbox

By submitting this information, you agree to receive episode updates from the Behind the Growth podcast. We take your privacy seriously, keep the information you share confidential, and never send any unwanted emails. Check out our privacy policy to learn how we use your details.

Thank You!

We have sent you a confirmation email.
Please check your inbox.

More Episodes

chatsimple