As the majority of the workforce has dispersed, devising solutions for fluid communication and collaboration, as well as data management, is now a top priority for many companies. To keep employees actively engaged and productive, making data available from any location is key.
New and ever expanding technologies continue to exploit existing and novel avenues to your business' cyber adversaries, and these pathways are constantly being manipulated and evolving.
So, it comes as no surprise that cybersecurity has rapidly climbed the list of executives’ organizational priorities.
Companies that embrace cyber resilience and risk analysis go beyond the basics to see greater results and returns against cyber attack. How are they doing this?
In part, by understanding and using a risk analysis approach to understand the real risk to the organization and to help teams prioritize the most important gaps and projects.
They prioritize respective risk factors using a risk-based approach. This approach is realistic, tangible, measured, and puts the primary focus on the biggest and most potentially impactful security risks.
The risk-based approach also considers the concept of risk acceptance – how much risk are you willing to take in a given scenario?
In this first in a two-part series, we look at:
Cyber threats (42%) are a leading concern among 5,050 global CEOs this year, second only to pandemics and health crises (52%). This is a significant uptick since the beginning of 2020. Before the pandemic struck, cyber threats ranked fourth. Over-regulation, trade conflicts and uncertain economic growth all ranked higher, according to PwC.
Why?
Cyber adversaries are accessing your most sensitive data via ever evolving channels:
It’s no surprise the management of cyber security has to evolve to keep up as business leaders everywhere search for the best way to tackle it.
To understand the emphasis on a risk-based approach, let’s look at where we’ve been. For years, the common "maturity-based" approach met business needs for sustainable, repeatable, and mature enterprise risk management.
In today’s ultra-connected world, these programs struggle to keep up with ever changing and increasing demands. Because IT departments cannot put the same level of effort into everything, everywhere; we must prioritize and focus our efforts.
Today we need a more strategic, risk-based approach to help control the most relevant and vulnerable areas of potential risk.
A risk-based approach employs a systematic methodology to identify, evaluate, and prioritize the threats you face to mitigate the biggest risks first.
We all need to realize, we simply cannot prevent all cyber attacks or chase down every cyber risk. But you can protect your organization.
It starts by determining where to prioritize IT security investment—in terms of time and money—by identifying the gaps in your security programs that expose the potential for the greatest business impact. You will likely uncover numerous gaps, but they won’t all represent the same level of risk, so it’s wise to rank the potential business impact.
Using the risk-based approach to mitigate risk lets you reach your “target risk appetite”—the amount and type of risk you are willing to accept in pursuit of your business goals—at significantly less cost.
For example, one company increased its projected risk reduction 7.5x above the original program at no added cost. How did they do it? They simply reordered the security initiatives in the backlog according to the risk-based approach, according to McKinsey.
Whether assessing a global threat, addressing a localized vulnerability, or simply evaluating trends, it would be irresponsible to overreact to risks and make fear-based decisions or grandiose assertions that over-generalize a threat’s true impact. A risk-based methodology allows you to ask the right questions to get to the root of the severity of the threat.
Here are some questions to ask yourself as you shift to a risk-based approach to cybersecurity:
Relative to vulnerabilities:
Relative to evaluating third parties:
The point here is that not all things are created equal. You must determine your level of risk acceptance. For example, you may be willing to accept a lower level of security if the true risk is very low. Conversely, in high risk and or regulated environments your tolerance for anything other than full compliance may be low to non-existent.
For more about the risk-based cybersecurity approach, including information about cybersecurity metrics, emerging methodologies, and the evolving role of IT security leadership, read part two of this series, "Using security metrics to achieve cyber resilience."
David Levine, is Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc. In this role, he oversees cyber and physical security, trade compliance, access management, eDiscovery and litigation support, select compliance functions and is routinely engaged in customer discussions on risk and security. He also chairs Ricoh’s security advisory council and leads the company’s global security team.
