We’ve discussed risk management and its complexity–what goes into it, what frameworks you can use, and how different forms of analysis and visualization can help you assess it effectively.
But let’s pump the brakes a little. Have you thought about what to do about your risk profile? Do you know how to approach risk as a problem that needs a solution?
Here, we will discuss the four types of risk management approaches that enterprises use to address and navigate their cybersecurity risk.
Risk Tolerance, Risk Appetite and Risk Thresholds
To start with, it’s critical to understand what your relationship is to risk. Considering risk as a metric in your cybersecurity strategy is considering the gaps between existing or potential infrastructure and the uppermost implementations you can put into place. It might be beneficial for your organization to deploy every single piece of high-quality security and training policy you can think of. Still, it may be too costly or impact performance too significantly.
In these cases, your business and security leadership have to make hard decisions. Is using a more expensive and complex firewall in line with business costs, or can a less comprehensive solution provide enough security to satisfy different requirements? Can the company justify spending less or more on enterprise-wide training? These questions all fall under the topic of risk management.
There are a few different approaches to this kind of risk balancing:
- Risk Appetite: Appetite refers to the amount of risk an organization is willing to take on with an understanding of potential reward. Appetite can refer to how an organization balances potential threats and compliance needs against the company’s growth and decides the upper bounds of what is acceptable. Many organizations will formally describe their appetite in an appetite statement.
- Risk Tolerance: Tolerance refers to the range of acceptable risks that an organization will take on. The addition of risky projects or decisions will move the organization’s profile within this range. Unlike appetite, this is a more restrictive metric–it doesn’t refer to a desire to take on risk for growth, but a restriction on tolerability.
- Risk Threshold: As the name suggests, the threshold is the absolute upper boundary of acceptable risk. The organization will not seek to go beyond this because the security ramifications are too severe, or problems could have severe consequences for customers, clients, or operations.
You’ll note that each refers to a boundary, which suggests some sort of metric. Many organizations will either create their own metric or use one as suggested by their cybersecurity consulting partners.
The Four Types of Risk Management
As a company approaches risk tolerance limits or thresholds, they must begin to make decisions about how to manage that risk–hence the name. That is, at this point, an organization must implement policies (ideally pre-formulated) that lead to some follow-up action that addresses the issue and moves the organization back within acceptable limits.
The four ways to approach risk management include the following:
Literally, to take actions to avoid the source of risk altogether. This may mean foregoing the use of certain technologies, voiding contracts with troublesome or problematic vendors, or eliminating certain processes.
Avoidance can also refer to implementing security technologies and steps that eliminate security issues. For example, some of the following approaches can help your organization avoid common security risks:
- Implementing multifactor authentication (MFA) to avoid social engineering, phishing or password attacks.
- Training employees to spot certain types of social engineering attacks.
- Creating backup and recovery processes to avoid downtime in critical data systems.
Sometimes, it isn’t necessary to eliminate a source of risk… instead, certain measures might serve well as mitigation processes without completely locking out a threat or vulnerability.
Some common steps to reduce risk might be:
- Monitoring and negotiating third-party contracts and making incremental changes based on shifting security and compliance needs.
- Deploying encryption standards in line with security standards without requiring complete data lockdown.
- Installing firewall systems that allow certain types of traffic for business purposes, and regularly evaluating those policies based on new or emerging threats.
Transferring risk is an exciting prospect and takes on several facets in the world of managed service providers (MSP). Transferring risk, in simplest terms, is moving some or all of the sources of your risk to a third party.
This may seem counterintuitive… in many cases, moving functionality to another party only serves to introduce additional third-party risks. But, in some cases, offloading certain processes and systems can actually reduce overall risk, depending on the organization.
Consider the following ways to transfer risk:
- Working with highly specialized MSPs that target regulated industries and include security standards above and beyond the standard–for example, a PCI-compliant payment processor has also earned several SOC 2 attestations.
- Spreading responsibility for data breaches or other security events to these third parties through a contractual agreement.
- Signing up for specialized cyber insurance that can cover legal costs associated with breaches.
- Work with a dedicated cybersecurity and risk management consulting firm to offload responsibilities (and include clear contractual language regarding those responsibilities).
While the previous three approaches find ways to eliminate risk, it’s also important to know when to retain it. Sometimes a path forward, a business decision or a compliance strategy will inherently have risk involved, which is well within your appetite and thresholds.
Manage Risk with Data-Driven Visualization
From third-party to cybersecurity and compliance risk, risk runs through every aspect of your business. From top to bottom, your CISO, CIO or compliance officers need to handle these key metrics and how your organization is operating. Suppose vulnerabilities come up. If systems change or regulations change, your profile changes as well. And your organization cannot wait weeks or months to fix the problem.
Working with the Continuum GRC ITAM platform, a cloud-based security and risk management platform that leverages automated documentation and reporting, clear visualizations and customizable metrics tailored to your needs. We are the only FedRAMP and StateRAMP Authorized solution in the world and specialize in private industry compliance and federal and defense regulations.
Are You Ready to Take Control of Your Risk Management?
Continuum GRC is proactive cyber security®, and the only FedRAMP ans StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.