Businesses tackle cybersecurity from several perspectives and end up adopting different strategies for identifying and fulfilling cybersecurity control goals. Some small and medium businesses enter the security arena simply with a focus on meeting a compliance obligation, while others only commence a renewed security effort in the wake of a breach or after interest from a senior executive. These are all ad hoc ways to approach cybersecurity which often work in the short term to fill the immediate gaps and need, but more often than not fail to take a long-term strategic approach that leaves the organization well positioned to handle future threats. The business only adopted these approaches to security, while failing to follow any type of coherent strategy thereby leaving them vulnerable.
It is known that compliance requirements drive the security programs at businesses of all sizes when technology and compliance teams scramble to meet legal, regulatory or
contractual requirements. For instance, obligations under the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and other regulations push most organizations to only out in place security controls in “check-the-box” mode. Even though overall security may improve because of this, it fails to look at the operation in a comprehensive manner. The regulatory and compliance institutions have narrow scopes of interest, and so, design regulations specifically to protect the confidentiality of certain pieces of regulated information.
Although compliance with these regulations may be mandatory, it is usually not enough to protect an organization against cybersecurity risks.
A better approach and more effective option for businesses is to adopt a risk-based approach to security that performs a holistic assessment of the threats facing an organization and the vulnerabilities in its current operating environment. Risks happen when there is a crossing of an existing (or potential) vulnerability and an identified (or possible) threat.
Therefore, when performing a thorough cybersecurity risk assessment, organizations evaluate all the possible risk and then assign it a risk score. These scores are based on a combination of the likelihood that a risk will materialize and the impact on the organization should the risk occur. This risk-based approach allows the organization to focus its efforts on the risks that are more significant to its business operations.
A risk-based approach to security recognizes that risks do not fit into organized buckets of high and low. It recognizes that risk fit along a spectrum ranging from risks that are so low that the organization may accept the risk without adverse impact, to those that are so severe they must be avoided at all costs. The vast majority of risks facing an organization dwell in the region around those two extremes, and the goal of a risk-based security program is to appropriately prioritize and mitigate those risks to an acceptable level.
Therefore, adopting a risk-based approach to information security requires the involvement of numerous stakeholders from all over the business. Information Technology teams should never pursue such assessments in isolation, because security risk is more than just a technology risk; it’s an operational risk as well. Risk mitigation decisions more often have a serious negative impact on operations, and IT leaders often lack the context, subject matter expertise or scope of authority to make these decisions in isolation. Rather, other leaders must be engaged in the process and create a forum for a comprehensive risk discussion.
The bottom line is that a risk-based security program must be very closely aligned with the goals of the organization. IT groups exist to facilitate the operations of the rest of the organization so that the entire operation succeeds. The technical decisions made within a security program may have a vivid effect on the ability of the business to achieve its goals, and a risk-based program must take consider this. Not all risks are technical. Strategic, operational and financial risks may justify accepting a higher level of technical risk than might seem otherwise appropriate. So, it is essential to balance these considerations. This can be done when all the departments and actors in the business are involved in the process.
Benefits of a Risk-Based Strategy
There are several benefits that a risk-based security strategy brings businesses of all sizes. The first advantage is that a risk-based approach to cybersecurity allows the organization to understand the value achieved from their security investments. The next benefit is that it provides the business organization with a comprehensive view of risk; and finally, they fill in the gaps in an organization’s security strategy, providing a robust, defense-in-depth approach to cybersecurity.
Small and medium businesses must acknowledge that security is not cheap. According to CDW.com (2020), 60% of healthcare organizations responded to a 2017 survey by the Healthcare Information and Management Systems Society that they spent at least 3% of their budgets on security, while 11% reported that they spent 10% or more of their budgets on this category of expense. This means that when organizations invest significantly on security, business leaders and owners must understand the return on that investment. Using a risk-based approached to security gives justification for specific security investments by allowing the organization to tie the investments directly to the risks that they mitigate and the value that this brings to the business. In addition, risk-based approaches allow an organization to adapt to changes in the threat landscape, by moving the investment of time and money to areas that pose the greatest risk.
Furthermore, adopting a risk-based approach to security also helps organizations adopt a broader risk-based approach to business because the concepts of risk management discussed in cybersecurity conversations apply equally to many other areas of an organization. These include other technology matters, such as disaster recovery and fault tolerance, as well as issues that do not involve technology, such as media relations and industrial compliance.
Finally, a risk-based approach leads a business toward a robust set of security controls that are designed to meet the specific business needs of the organization. Rather than indiscriminately adopting a regulatory framework or industry standard, the business can customize a set of controls to their unique technical and operational environment. Thorough risk analysis can provide the information required to adopt a defense in-depth approach to cybersecurity. Such an approach uses overlapping controls to mitigate the most serious risks in a manner that is not dependent on any single control.
Make the Move to Risk-Based Security
Small and medium businesses that currently approach security using outdated ad-hoc approaches or a compliance focused method will benefit from moving to a more comprehensive, risk-based approach. Following the conduct of a thorough risk assessment, IT and business leaders must come together to develop an approach to cybersecurity that appropriately balances security needs and business requirements. Subsequently, security professionals will then work to implement a set of controls that align with this business-focused security strategy and develop an ongoing approach to security monitoring. Organizations that decide to adopt this strategy will benefit from seeking broad leadership support, benchmarking with other organizations, and changing the mindset of technical staff and other users.
One place to get technical support and compare solutions is CyberPal, the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements. Locate and connect with nearest Resellers for all Vendor solutions. End-users can post a project and Independent cyber experts can send proposals to these end-users and buyers can simply purchase it via the cyberpal platform and award the vendors / contractors the contract. It’s a secure payment platform and endusers benefit from private communication as well. This can help you to drive your cyber security strategy for your business rather than it being a non-starter.