We’ve all assessed some level of risk in our lives in one way or another. For example, if you’re living in a studio apartment in New York City’s Lower East Side, chances are you won’t be shelling out the additional expense of adding home security to the 450-square-feet you occupy. While there is still a chance of having it broken into, the second-hand furniture and 24-inch flat screen TV may not be worth the risk for burglars.
But if you’re a family of four living in the Upper East Side, your neighborhood’s an indicator of wealth, and chances are you have a lot more to lose. In this case, you’ll opt for additional security.
While the parameters are different, the same thinking applies when it comes to determining your organization’s risk tolerance. Some businesses, however, are inaccurately measuring their risk appetite.
All organizations are targets for cyber attacks, but similar to the example outlined above, cybercriminals tend to place a bullseye on some more than others. Given the security arsenal some larger enterprises are equipped with, many times attackers will look to getting in by way of the smaller businesses that may be partnering with larger enterprises. That’s why accurately assessing your businesses’ cyber risk tolerance goes a long way in developing your overall cybersecurity strategy.
Where to Get Started
It’s your first day working as the cybersecurity lead at your organization, so chances are you’ll need to assess its overall risk appetite. But where do you start? According to Mark Whitehead, director of Americas at Trustwave SpiderLabs, it’s all about understanding what the core business is.
"This can help them understand if they’re prone to targeted attacks and what cybercriminals could be targeting," he says.
No matter the size of the business, chances are it’s a target if it’s involved in work that’s tied to the military, cutting edge research, processing payments, or is in the financial or retail industries, according to recent data from the 2019 Trustwave Global Security Report.
By getting a better sense of what your company assets are, it leads to more effective prioritization. This also helps determine what tools and services your business needs to tap into. When it's time to meet with upstream management about resources, clearly communicating the business’s risk appetite will go a long way.
"Security leaders need to make sure they are properly understanding and explaining risk and their company’s risk tolerance to the heads of the organization," Whitehead adds.
How to Determine Cyber Risk Tolerance
When you’re ready to assess your organization’s risk tolerance, it may be best to adhere to a framework that can serve as the foundation of your assessment. The NIST Cybersecurity Framework is one example that focuses on the essential functions that your team can adhere to. While there are others, this is one Whitehead recommends.
"If what your team is working on doesn’t answer how you identify, protect, detect and respond to assets, data or systems within the business, one could argue that your organization isn’t working on what matters," he says.
To effectively do this, it’s vital to identify critical assets within the business, something easier said than done. This is primarily because of the mountain of challenges security leaders are presented with, from merger and acquisition and Shadow IT activity to data stored on a cloud service provider.
Once you’re able to determine what and where your assets are, you can systematically apply risk by specific criteria. But it’s essential to test the controls in place to validate they work continually, Whitehead says.
"Both highly automated as well as manual testing is critical to an organization’s success," he adds.
Aspire to Adaptive Security
The lower the organization’s risk tolerance is, the more you should be baking anticipation into your overall cybersecurity strategy. Businesses that have a very low-risk tolerance tend to take an adaptive approach to security, which involves threat detection and response activities such as security orchestration and threat hunting. This approach also relies on artificial intelligence (AI) analysis of user behavior to anticipate attack methods.
"The cost of staying secure is forcing an organization to be more adaptive," Whitehead says. "Each day, new technology is available, but nothing really comes off an organization’s plate from a technology standpoint."
This growing inventory is what’s made the modern-day business a labyrinth for security leaders to navigate. Evolving from mainframes to personal computers, and wireless internet-connected technology to social networks, there's no end in sight for this digital transformation movement.
"Given the predicted explosion of IoT devices that will interact seamlessly with the internet, a lot more is getting ready to get added onto that list," he says.
While investing in cutting-edge security solutions is always an option, enterprises with a low cybersecurity risk tolerance are also opting to partner with a trusted security advisor that can help increase bandwidth to direct and manage technology providers, in addition to offsetting the need for more skilled workers. This enables security leaders to focus on strategic projects that can measurably reduce risk within the business.
Key Questions to Keep Top of Mind
When you’re working through your organization’s risk assessment and prioritizing company assets, Whitehead suggests keeping the following questions top of mind to help you better understand the business’s overall risk tolerance:
- What puts my employees at risk physically?
- Would my customers be happy if this was exposed?
- Would our company still be in business if we lost access to this data or if it was available outside our organization?
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.