Woman with PC

Stop digital adversaries with a risk-based cybersecurity approach: Part One 

David Levine, Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc. 

Summary

The first in a two-part series on the risk-based approach to cybersecurity.

Time: 3 minute read


As the majority of the workforce has dispersed, devising solutions for fluid communication and collaboration, as well as data management, is now a top priority for many companies. To keep employees actively engaged and productive, making data available from any location is key.


New and ever expanding technologies continue to exploit existing and novel avenues to your business' cyber adversaries, and these pathways are constantly being manipulated and evolving.

So, it comes as no surprise that cybersecurity has rapidly climbed the list of executives’ organizational priorities. 

Companies that embrace cyber resilience and risk analysis go beyond the basics to see greater results and returns against cyber attack. How are they doing this?


In part, by understanding and using a risk analysis approach to understand the real risk to the organization and to help teams prioritize the most important gaps and projects. 


They prioritize respective risk factors using a risk-based approach. This approach is realistic, tangible, measured, and puts the primary focus on the biggest and most potentially impactful security risks.


The risk-based approach also considers the concept of risk acceptance – how much risk are you willing to take in a given scenario?

In this first in a two-part series, we look at:

  • The emerging channels for cyber attack

  • The importance of cyber resilience, and 
  • How taking a risk-based approach to cybersecurity gives you an edge over cybercriminals. 
Hands typing on laptop

Evolving channels for cyber attacks

Cyber threats (42%) are a leading concern among 5,050 global CEOs this year, second only to pandemics and health crises (52%). This is a significant uptick since the beginning of 2020. Before the pandemic struck, cyber threats ranked fourth. Over-regulation, trade conflicts and uncertain economic growth all ranked higher, according to PwC.

Why? 

Cyber adversaries are accessing your most sensitive data via ever evolving channels: 

  • Increased mobile and remote networking

  • Cloud computing

  • AI

  • IoT 

  • DDoS (distributed denial of service) attacks

  • Insider threats

  • Third-parties/Supply Chain 

It’s no surprise the management of cyber security has to evolve to keep up as business leaders everywhere search for the best way to tackle it.

 

Cyber threats (42%) are a leading concern among 5,050 global CEOs this year, second only to pandemics and health crises (52%).

 

Become cyber-resilient

Enter cyber resilience—an entity's ability to anticipate, endure, recover and evolve relative to cyber threats and events.
 
Cyber resilience focuses on, in part, forward thinking and analysis, of which risk analysis is a key component as well as the ability to adapt quickly with the ultimate goal of protecting your company, customers and partners.
 
Using risk analysis as part of your cyber resiliency program helps quantify and focus on the areas that are the biggest threat i.e. fuels the anticipate aspect. Also, like threats, risks evolve as well so a good resiliency program must be cyclical in nature.

 

 

The cyber-savvy risk-based approach 

To understand  the emphasis on a risk-based approach, let’s look at where we’ve been. For years, the common "maturity-based" approach met business needs for sustainable, repeatable, and mature enterprise risk management. 

In today’s ultra-connected world, these programs struggle to keep up with ever changing and increasing demands. Because IT departments cannot put the same level of effort into everything, everywhere; we must prioritize and focus our efforts.

Today we need a more strategic, risk-based approach to help control the most relevant and vulnerable areas of potential risk.

A risk-based approach employs a systematic methodology to identify, evaluate, and prioritize the threats you face to mitigate the biggest risks first. 

We all need to realize, we simply cannot prevent all cyber attacks or chase down every cyber risk. But you can protect your organization. 

It starts by determining where to prioritize IT security investment—in terms of time and money—by identifying the gaps in your security programs that expose the potential for the greatest business impact. You will likely uncover numerous gaps, but they won’t all represent the same level of risk, so it’s wise to rank the potential business impact. 

Using the risk-based approach to mitigate risk lets you reach your “target risk appetite”—the amount and type of risk you are willing to accept in pursuit of your business goals—at significantly less cost. 

For example, one company increased its projected risk reduction 7.5x above the original program at no added cost. How did they do it? They simply reordered the security initiatives in the backlog according to the risk-based approach, according to McKinsey

Whether assessing a global threat, addressing a localized vulnerability, or simply evaluating trends, it would be irresponsible to overreact to risks and make fear-based decisions or grandiose assertions that over-generalize a threat’s true impact. A risk-based methodology allows you to ask the right questions to get to the root of the severity of the threat.

Here are some questions to ask yourself as you shift to a risk-based approach to cybersecurity:

Relative to vulnerabilities:

  • What is the real risk to the company?
  • Do we even use the product or system that’s vulnerable? 
  • If yes, is it used in a way that puts the company at risk? 
  • Are there mitigating controls?
  • What would the actual reality of the impact be?

Relative to evaluating third parties:

  • What data is involved?
  • Is it regulated?
  • What type of connectivity exists?

The point here is that not all things are created equal. You must determine your level of risk acceptance. For example, you may be willing to accept a lower level of security if the true risk is very low. Conversely, in high risk and or regulated environments your tolerance for anything other than full compliance may be low to non-existent. 

 

For more about the risk-based cybersecurity approach, including information about cybersecurity metrics, emerging methodologies, and the evolving role of IT security leadership, read part two of this series, “Using security metrics to achieve cyber resilience.”

 

 
David Levine 2017

 

 

David Levine, is Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc. In this role, he oversees cyber and physical security, trade compliance, access management, eDiscovery and litigation support, select compliance functions and is routinely engaged in customer discussions on risk and security. He also chairs Ricoh’s security advisory council and leads the company’s global security team. 

 
 

Recommended for you

Ricoh Hosted Legal Desktop helps firm protect data Ricoh's Hosted Legal Desktop helped Cipriani and Werner improve system performance, security, connectivity and redundancy to support client demands.
11 essential hacking terms Knowing these 11 essential hacking terms can help you protect your data, your business, and your employees against cyberattacks.
5 server security concerns you need to know Server security concerns exist whether your server is locked in a data center, sits in an office or is hosted in the cloud.
1
 
Cookie Policy

Ricoh uses data collection tools such as cookies to provide you with a better experience when using this site.
You can learn how to change these settings and get more information about cookies here.

Close Chat
HelpChoose A Topic