Cyber Security



Tackling the greatest threats first: a risk-based approach to cybersecurity

By David Levine, Vice President of Corporate and Information Security, CSO CISM, information management and digital services company, Ricoh USA, Inc
Tackling the greatest threats first: a risk-based approach to cybersecurity

Cyber threats have moved up the list of top CEO concerns, with 42% of global CEOs citing them as a major concern, according to a recent PwC survey, second only to pandemics and health crises (52%). This is a significant increase since 2020 when concern ranked fourth on the list at 33% after over-regulation, trade conflicts, and uncertain economic growth.

The reason for this spike is simple: There is a slew of new channels for digital adversaries to access your most sensitive data. Examples include increased mobile and remote networking, cloud computing, AI, IoT, insider threats, and third-party entry points. Therefore, it’s not surprising that the management of cybersecurity is fast becoming a top priority as business leaders everywhere search for the best way to tackle this challenge.

Leaders who demonstrate the greatest cyber resilience in this challenging climate are moving beyond compliance by taking a risk-based approach to cybersecurity. This approach prioritizes respective risk factors by identifying and addressing the worst vulnerabilities in the most critical areas first, and puts the primary focus on the biggest and most potentially impactful security risks, saving your organization time and money.

Here are a few considerations as you explore the benefits of taking a risk-based approach to cybersecurity.

Narrow your focus to the highest risks

To understand the value of the risk-based approach helps to look at how cybersecurity has historically been handled. The common “maturity-based approach” is a sustainable, repeatable, and mature enterprise risk management program. It is a “monitor everything” or “build to control everywhere” approach. But, in today’s ultra-connected world, these umbrella programs are not enough. Today, we need a more strategic, risk-based approach to help control the most relevant and vulnerable areas of potential risk.

Prioritize your IT security investments

It’s largely impossible to prevent all cyberattacks or chase down every cyber risk. So you must determine where to prioritize IT security investment—in terms of time and money—by identifying the gaps in your security programs that expose the potential for the greatest business impact. There will likely be numerous gaps, but they won’t all represent the same level of risk; it’s wise to rank the potential business impact so you’re positioned to address the biggest risks first.

Identify your target risk appetite

Using the risk-based approach to mitigate risk lets you reach your “target risk appetite”, or the amount and type of risk you are willing to accept in pursuit of your business goals. As reported by McKinsey, one company that did this increased its projected risk reduction 7.5 times above the original program at no added cost, simply by reordering the security initiatives in its backlog according to the risk-based approach.

Ask yourself key questions

When assessing a cyber threat, try not to make fear-based decisions or universal assertions that over-generalize a threat’s true impact. A risk-based methodology allows you to ask the right questions relative to vulnerabilities to rank the severity of the threat based on your specific and possibly unique environment.

Ask yourself:

  • What is the real risk to the company?
  • Do we use the product or system that’s vulnerable?
  • If so, is it a vulnerable version or used in a way that realistically puts the company at risk?
  • Are there mitigating controls?
  • What would the actual reality of the impact be?

It’s also important to ask defining questions relative to third parties to determine your level of risk acceptance, such as:

  • What data is involved?
  • Is it regulated?
  • What type of connectivity exists?

Answering these questions will help you rank your vulnerabilities and serve as an important reminder that not all risks are equal. You may be willing to accept a lower level of security if the true risk is very low. Conversely, in high-risk and or regulated environments, your tolerance for anything other than full prevention may be low to non-existent.

Learn more and act!

Remember: If an approach to cybersecurity is informed by fear or attempts to treat all vulnerabilities equally, its runway for success will be short. A risk-based approach provides confidence that you’re making the right long-term IT investments to tackle the most impactful risks to your business first.

Click here for additional considerations as you explore the risk-based approach to cybersecurity, including:

  • How to measure success and useful metrics to track;
  • Alternative cybersecurity methodologies that can help provide structure around your IT security planning;
  • The evolving role of your organization’s IT security department and executive leadership team;
  • And tips to stay vigilant against security threats.

www.ricoh-usa.com