Risk Acceptance & Business Payout

Key Takeaways From the Gartner Security & Risk Management Summit 2017

I just got back from the Gartner Security & Risk Management Summit with three key takeaways that I would like to share. Overall, industry leaders indicate that cybersecurity should be treated as a business function, not as a tax, and to achieve this, we need to base our security approach on:

  1. An attitude and culture of Risk Acceptance
  2. A Risk Management Methodology that enables us to detect and manage risk
  3. Effective alignment with the CEO and BoD by making risk-based decisions focused on business goals

Let’s get into the details.

1. Risk Acceptance

Your security goal should be to build a sustainable program that balances the need to protect against risk and the need to enable the profitability of your business.

There are trade offs between having an extremely high level of security versus a low level of security. Having an extremely high level causes the rate of production within your business to slow. Having a low level of security does not impede the rate of production, but it does significantly increase the possibility that your business will become susceptible to a cyber attack. 

One approach to fighting threats has been to try excluding them altogether. This would mean providing a very high level of security. The world of cybercrime, however, has evolved in parallel with the legitimate world of commerce, and the sheer volume of attacks along with the high level of sophistication of some makes this an impractical strategy. Imagine locking down your entire business to the point where it’s fully protected — the extreme level of security would make it nearly impossible for the business to operate effectively to drive profitability. This approach simply won’t work.

What to do?

In the current cyber threat environment, we need to replace some of our existing habits and ways of thinking with new attitudes and best practices around security.

Specifically, we all need to accept that some degree of security risk will always be part of the environment. This is called Risk Acceptance.

As part of Risk Acceptance, you need to establish a balance between how much risk you are willing to accommodate and the imperative of driving the success of the business (i.e., the revenue or profitability). And in achieving this balance, one of the keys is to ensure that risk mitigation measures do not impede the business, but function instead as enablers to drive operational efficiency, speed, revenue optimization, and growth. In effect, security becomes a business-aligned value driver, and not a business tax. 

Sound like a plan? Not yet, so let’s think this through.

2. The 4 Rs Risk Management Methodology

How do you accept risk and simultaneously put in place a means of managing it. At Threat Stack, we recommend a best practice that we call the 4 Rs Risk Management Methodology.

It’s an end-to-end, lifecycle approach that’s designed to protect you at all phases of exposure to risk. In brief, the 4 Rs are Risk Identification, Risk Assessment, Risk Mitigation, and Ongoing Risk Monitoring.

risk-graphic-1.png

1. Risk Identification

The first step is to detect any threats that are present. You can’t manage threats unless you can identity and see them — hence, you need visibility.

2. Risk Assessment

Once you have detected threats, you need to measure or assess them to distinguish between those that are serious and need to be dealt with immediately, those that can be dealt with at a later time, and those that, frankly, can be ignored. Again, you can’t eliminate all threats, so you evaluate, and then act according to severity level. Prioritizing risks is key so you know where to focus, given limited time and manpower.

3. Risk Mitigation

In the Risk Mitigation phase, the goal is to eliminate serious threats, and to do this as quickly as possible. So Mean Time To Detect (MTTD) and Mean Time To Resolution (MTTR) are critical. Once you’ve identified a high severity threat, you want to resolve it in the shortest amount of time. (For a discussion of how Threat Stack’s Cloud Security Platform® reduces MTTR, see Shifting to High-Velocity Cloud Security Operations.)

4. Ongoing Risk Monitoring

Security — or risk management — is never a once and done activity, or something you do once a year as a demonstration for an auditor. Security is a continuous 24x7x365 activity. The bad guys don’t take holidays, and your organization can’t either.

Ongoing Risk Monitoring ensures that the risks you are exposed to are being methodically managed in real-time from first detection, through an evaluation of severity, to mitigation. This keeps you informed at all times and allows you to inform key decision makers and management of the risks that are being managed and that may impact the business. Having this level of risk information in real time helps to build trust between security teams and the leadership team.

To sum up, the 4 R methodology ensures that the risks you accept are also risks that are managed.

We’re not quite done, however: Now you need to factor three additional elements into your Risk Management model:

  • Scalability to grow with your business
  • Flexibility to fit into your workflows and systems now and as they evolve
  • The ability to continually reassess how much risk is appropriate in your environment

The reason? All businesses are dynamic (or they would be defunct). Therefore, you need to be sure your risk acceptance and management approach will scale as the business grows and will be capable of evolving as it changes. And as your organization evolves, grows, and matures, you need to have the ability to reassess how much and what type of risk is acceptable.

At this point you have a Risk Acceptance approach, and you’re ready to pitch your plan to the powers that be so you can get on with implementation. But who are the powers that be? Who are you pitching to?

The CEO and possibly the Board.

3. How to Align Effectively With the CEO and BoD

Security at the C level is fairly new. So let’s first ask why you need to align with the CEO and the BoD. Why not go to the CTO, for example? The answer is fairly straightforward: The CEO and the Board have the money, the ultimate decision-making authority, and the responsibility for protecting their organization and for making it maximally profitable.

Now let’s talk about how to align with the CEO and the BoD.

Nothing we have written in the preceding sections will produce results if you can’t explain your approach and obtain full buy-in, understanding, and support from the top.

Here are some guidelines on putting together an effective management presentation:

  1. Do: Prepare a proposal for applying your approach to a low-risk, small-scale, self-contained project that won’t require much time or funding, but which will demonstrate the results you are claiming.

    The results you obtain on this project can then be extended to show the benefits and savings that would be attained if you applied your approach enterprise wide, or at least to larger, more critical projects.

  2. Do: Focus on issues that are central to your audience’s interests. Explain how your approach will act as an enabler that will help the organization achieve its business objectives.

  3. Do not: Do not start by focusing on the technology. The BoD knows and cares about business, not technology. Down the road, when your proposal is being fully vetted, you’ll need to provide technical details, but at the outset, your audience wants to know about the ends (business results), not the means (the underlying technology).

  4. Do: Remember what your Freshman English teacher taught you: Use the language of your audience and do not try to impress by using jargon.

Final Words . . .

To sum up, your goal should not be the elimination of risk. That’s probably an impossible task in any event, and would assuredly drain critical resources and draw expertise away from your core competencies. Your goal should be enabling your business to scale and achieve maximum profitability by adopting a Risk Acceptance attitude and using a comprehensive Risk Management  Methodology.

As we stated at the outset, the most realistic and rewarding way to run a business in today’s cyber climate is through embracing the culture of Risk Acceptance, determining how much risk you are willing to accept, and managing the process using an approach such as Threat Stack’s 4 R end-to-end risk management methodology.

If you’d like see the Threat Stack Cloud Security Platform® in action, contact us now to schedule a demo.