The Business-Centric Risk Strategy

A holistic security program starts with discovering your company’s risk appetite.

In the blog series, Shifting from Preventative to Proactive Risk Management, we discuss how and where to focus your efforts to become proactive in security risk. The first post, Security in 2019: Getting Ahead of the Game, we discussed how security teams can create a fluid strategy in lockstep with business stakeholders to build a powerful security platform. The second post Learning the Enemy Perspective, talked about the importance of understanding how threat actors think and act to give the security team the upper hand. In today’s blog, we will show that taking a step back to evaluate the need for a sustainable risk strategy that is predictive and proactive is worth the time and effort.

Many organizations are reaching a breaking point when it comes to the effectiveness of their cybersecurity. Security teams are overwhelmed with the job of reacting to and investigating alerts and then fixing problems as quickly as possible before a threat actor gains access to sensitive data. But the velocity of new apps, connected devices and data growth inside corporate networks makes the job more difficult than ever before. Hackers have exponentially more entry points into a business today compared with just two years ago. And discovering and monitoring all those access points is a never-ending game of catch up. Security teams know they can’t effectively protect every piece of data equally, but where should they focus and how? 

Instead of buying more tools to throw at the problem, it’s time to take a step back. What organizations need is a sustainable strategy that is predictive and proactive when it comes to risks and threats. Programs must tightly connect with business needs and goals so that security teams can focus their efforts. It’s time to stop doing the same thing and expecting a different outcome.

A smart first step is to determine the risk appetite at your company. Is your business risk-averse or risk-tolerant? Financial services firms are traditionally risk-averse, given the high potential of financial and customer loss if accounts are compromised. Healthcare companies are also risk-averse but more due to stiff regulatory requirements to protect personal health information: exposing patient data can cost millions of dollars in fines. The only way to gauge your company’s appetite is to talk with the line of business decision-makers. These people know which applications and information influence revenues and touch customers. Those conversations should guide your decisions on how and where to invest the security budget.

These tips can start conversations and create the right strategy for your organization:

• Get clear on business goals and risks. Understanding business context is crucial in developing the best security approach. The goal for meeting with business stakeholders is to understand and prioritize top business risks and determine the potential fallout of an incident from a financial, customer and reputational standpoint. From there, security experts can develop the appropriate countermeasures and gain agreement and support from business leaders on the plan. It’s helpful to understand how executives define risk so that the security team can speak the same language. As an example, security teams commonly classify risk in categories of low, medium and high, yet unless the definition of what constitutes low, medium and high risk matches what the business understands these definitions to mean, these conversations can get lost in translation. It is essential for security teams to get common definitions of risk that match the business definitions in order to communicate clearly.
• Consider industry frameworks and regulations. There are dozens of security frameworks and regulations to use as a guide when developing security plans and many of them focus on verticals or specific business actions: Federal Financial Institutions Examination Council (FFIEC) for finance, National Institute of Standards and Technology (NIST) for industry and science and the Health Insurance Portability and Accountability Act (HIPAA) in healthcare. Horizontal regulations also apply, such as the Payment Card Industry Data Security Standard (PCI DSS) which covers any organization processing payments through credit cards. Be careful not to get overwhelmed with the standards – there are 114 controls alone in International Organization for Standardization (ISO) 27002. Opt instead to choose a few dozen controls to focus on at a time, highlighting a handful that your team will strive to meet for advanced maturity while maintaining base capabilities in other areas until you can shift focus. How do you pick which controls to accelerate and advance first? Again, mapping back to your top business risks and goals should be your guide. And when faced with the need to meet multiple regulations, build a foundation based on the industry standard that is best aligned with addressing the totality of your needs.

Creating a business-aligned risk strategy takes time and patience, yet the effort will pay off in the long run. Your team will have confidence that time and resources are going toward protecting the most important areas to keep your business thriving.

Take the quiz, How Risk-Aligned Is Your Business, to determine if your security program is aligned with the wider business strategy.