It’s in our nature to respond to Fear, Uncertainty and Doubt (FUD) which is exactly why threats make for powerful headlines; but out of context they are meaningless. Instead, organisations need to determine the cyber risks that are relevant to their business. And so, we think it is time we change the cyber security conversation from one distracted by threat, to one focused on business risk. Read on to discover how you can take a risk-based approach to cyber security.
‘Threat-mania’ continues to rule the cyber security industry, with the media happy to use FUD to encourage accelerated buying as a defence against these threats. However, when it comes to cyber security, layering technology as a response to threat, isn’t necessarily better. Often resulting in the following issues for businesses: unnecessary expenditure, wasted time and false alerts.
A more rational approach is to look at cyber security in the context of business risk, whereby devices, teams, departments and processes can be rationally assessed to establish not only their likelihood of being exploited but crucially what the impact to the business will be. At Secrutiny, we are huge believers of risk methodologies because it uses the same language that stakeholders endorse.
Organisations need to understand what is the risk you are willing to accept and what controls do you have in place if an event was to occur. This approach allows a business to have constructive discussions at executive level and take logical actions that are commercially and fiscally sound. During my time in the industry, it has become evident that threats translate into risks very differently in each business; therefore, organisations need to align their cyber security spend to their specific business risks, not industry threats.
What’s the Difference Between a Threat and a Risk?
The first step to changing the cyber security conversation is to establish the difference between threat and risk. Put simply, a cyber threat is a malicious act that seeks to exploit a vulnerability to obtain, damage, or destroy an asset. A threat can be either ‘intentional’ or ‘accidental.
A risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. The challenge in the context of cyber security is to provide evidence that identifies and quantifies risk so you can take appropriate action. You can’t eradicate all IT vulnerabilities but prioritising remedial activity based on which pose a significant risk to your business is key.
The Value of Context When Considering Threats
To overcome the natural urge to respond to a threat and instead pragmatically assess the business risks, we advocate asking the following context-setting questions to help you determine a programme of security improvement that is rational, proportionate and based on actual risk:
- Which areas of your business are most at risk of exploitation?
- What’s making them so susceptible to risk?
- What impact could these risks have on the ability of your business to operate?
- What steps do you need to take based on what you know?
- What you can prove?
To conclude, instead of protecting company data and systems to the same extent from every single threat, you need to identify your organisation’s specific needs in order to align your security budget accordingly. Predominantly, it’s the resource shortage of IT operations and lack of business understanding of security risk, which is generating a lot of the exposure that organisations face.
I work bottom-up from evidence because we shouldn’t be basing cyber security on fear, uncertainty and doubt, you need to be able to sit in front of the board and go ‘here is the evidence and here is the risk we’ve identified’. But to quantify and manage risk, you need to be forensic in your approach. For more information about changing the cyber security conversation from one distracted by threat, to one focused on business risk, check out our white paper, Time for a Cyber Risk Perspective.