Why a Risk-Based Approach Yields Effective Security

Organizations have different needs for cybersecurity and thus adopt different strategies for identifying and fulfilling security control objectives. Some organizations focus their security efforts on meeting a compliance obligation, while others begin a renewed security effort in the wake of a breach or after interest from a senior executive. These ad hoc approaches to cybersecurity often work in the short term to fill gaps and meet a short-term need, but they often fail to take a long-term strategic approach that leaves the organization well-positioned to handle future threats. The fact is that organizations adopting these approaches to security often fail to follow any type of coherent strategy, leaving themselves vulnerable.

Compliance requirements drive the security programs at many organizations when technology and compliance teams scramble to meet legal, regulatory or contractual requirements. Obligations under the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and other regulations often leave an organization implementing security controls in “check-the-box” mode. While this approach may lead to improved security, it fails to look at the operation in a comprehensive manner. Regulatory bodies have narrow scopes of interest, designing regulations specifically to protect the confidentiality of certain pieces of regulated information. While compliance with these regulations may be mandatory, it is usually not sufficient to protect an organization against cybersecurity risks.

Breaking from Tradition

A more effective option for organizations is to adopt a risk-based approach to security that performs a holistic assessment of the threats facing an organization and the vulnerabilities in its current operating environment. Risks occur when there is an intersection of an existing (or potential) vulnerability and an identified (or possible) threat. When performing a thorough cybersecurity risk assessment, organizations evaluate each possible risk and then assign it a risk score. These scores are based on a combination of the likelihood that a risk will materialize and the impact on the organization should the risk come to pass. This risk-based approach allows the organization to focus its efforts on the risks that are more significant to its operations.

A risk-based approach to security recognizes that risks do not fit into neat buckets of high and low. Instead, they fit along a spectrum ranging from risks that are so low that the organization may accept the risk without adverse impact, to those that are so severe they must be avoided at all costs. The vast majority of risks facing an organization lie somewhere between those two extremes, and the goal of a risk-based security program is to appropriately prioritize and mitigate those risks to an acceptable level.

Adopting a risk-based approach to information security requires the involvement of numerous stakeholders from throughout an organization. IT teams should not undertake such assessments in a vacuum, because security risk is more than just a technology risk; it’s an operational risk as well. Risk mitigation decisions may have a serious impact on operations, and IT leaders often lack the context, subject matter expertise or scope of authority to make these decisions in isolation. Rather, they must engage other leaders in the conversation and create a forum for a comprehensive risk discussion. Organizations with mature approaches to enterprise risk management (ERM) may already have an executive-level committee set up to discuss risks that come in diverse forms: financial, operational, reputational and strategic. Adding technical risk to that mix is an excellent way to elevate the conversation to an appropriate level. 

The bottom line is that a risk-based security program must be very closely aligned with the goals of the organization. IT groups exist to facilitate the operations of the rest of the organization so that the entire operation succeeds. The technical decisions made within a security program may have a dramatic effect on the ability of the organization to achieve its goals, and a risk-based program must take this into account. Not all risks are technical. Strategic, operational and financial risks may justify accepting a higher level of technical risk than might seem otherwise appropriate. Balancing these considerations is an art that requires insightful qualitative analysis from a broad group of leaders.