Stop digital adversaries with a risk-based cybersecurity approach: Part One
David Levine, Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc.
The first in a two-part series on the risk-based approach to cybersecurity.
Read time: 3 minutes
As the majority of the workforce has dispersed, devising solutions for fluid communication and collaboration, as well as data management, is now a top priority for many companies. To keep employees actively engaged and productive, making data available from any location is key.
New and ever expanding technologies continue to exploit existing and novel avenues to your business' cyber adversaries, and these pathways are constantly being manipulated and evolving.
So, it comes as no surprise that cybersecurity has rapidly climbed the list of executives’ organizational priorities.
Companies that embrace cyber resilience and risk analysis go beyond the basics to see greater results and returns against cyber attack. How are they doing this?
In part, by understanding and using a risk analysis approach to understand the real risk to the organization and to help teams prioritize the most important gaps and projects.
They prioritize respective risk factors using a risk-based approach. This approach is realistic, tangible, measured, and puts the primary focus on the biggest and most potentially impactful security risks.
The risk-based approach also considers the concept of risk acceptance – how much risk are you willing to take in a given scenario?
In this first in a two-part series, we look at:
The emerging channels for cyber attack
The importance of cyber resilience, and
How taking a risk-based approach to cybersecurity gives you an edge over cybercriminals.
Evolving channels for cyber attacks
Enter cyber resilience—an entity's ability to anticipate, endure, recover and evolve relative to cyber threats and events.
Cyber resilience focuses on, in part, forward thinking and analysis, of which risk analysis is a key component as well as the ability to adapt quickly with the ultimate goal of protecting your company, customers and partners.
Using risk analysis as part of your cyber resiliency program helps quantify and focus on the areas that are the biggest threat i.e. fuels the anticipate aspect. Also, like threats, risks evolve as well so a good resiliency program must be cyclical in nature.
The cyber-savvy risk-based approach
To understand the emphasis on a risk-based approach, let’s look at where we’ve been. For years, the common "maturity-based" approach met business needs for sustainable, repeatable, and mature enterprise risk management.
In today’s ultra-connected world, these programs struggle to keep up with ever changing and increasing demands. Because IT departments cannot put the same level of effort into everything, everywhere; we must prioritize and focus our efforts.
Today we need a more strategic, risk-based approach to help control the most relevant and vulnerable areas of potential risk.
A risk-based approach employs a systematic methodology to identify, evaluate, and prioritize the threats you face to mitigate the biggest risks first.
We all need to realize, we simply cannot prevent all cyber attacks or chase down every cyber risk. But you can protect your organization.
It starts by determining where to prioritize IT security investment—in terms of time and money—by identifying the gaps in your security programs that expose the potential for the greatest business impact. You will likely uncover numerous gaps, but they won’t all represent the same level of risk, so it’s wise to rank the potential business impact.
Using the risk-based approach to mitigate risk lets you reach your “target risk appetite”—the amount and type of risk you are willing to accept in pursuit of your business goals—at significantly less cost.
For example, one company increased its projected risk reduction 7.5x above the original program at no added cost. How did they do it? They simply reordered the security initiatives in the backlog according to the risk-based approach, according to McKinsey.
Whether assessing a global threat, addressing a localized vulnerability, or simply evaluating trends, it would be irresponsible to overreact to risks and make fear-based decisions or grandiose assertions that over-generalize a threat’s true impact. A risk-based methodology allows you to ask the right questions to get to the root of the severity of the threat.
Here are some questions to ask yourself as you shift to a risk-based approach to cybersecurity:
Relative to vulnerabilities:
What is the real risk to the company?
Do we even use the product or system that’s vulnerable?
If yes, is it used in a way that puts the company at risk?
Are there mitigating controls?
What would the actual reality of the impact be?
Relative to evaluating third parties:
What data is involved?
Is it regulated?
What type of connectivity exists?
The point here is that not all things are created equal. You must determine your level of risk acceptance. For example, you may be willing to accept a lower level of security if the true risk is very low. Conversely, in high risk and or regulated environments your tolerance for anything other than full compliance may be low to non-existent.
For more about the risk-based cybersecurity approach, including information about cybersecurity metrics, emerging methodologies, and the evolving role of IT security leadership, read part two of this series, "Using security metrics to achieve cyber resilience."
Recommended for you
Defining Hacking & 11 Essential Hacking Terms
What is hacking? Learn about hacking threats and 11 essential hacking terms to protect your data, your business & your employees against cyberattacks.
5 server security concerns you need to know
Server security concerns exist whether your server is locked in a data center, sits in an office or is hosted in the cloud.
Part Two: a risk-based approach to cybersecurity
This is part two of a series of the benefits of a risk-based approach to cybersecurity, how to measure it and what emerging methodologies exist.