![]() However, if I’m that CISO and I’m looking at my should-haves, there may be systems that are very resource-consuming to keep updated but where the impact of them being compromised would be low. Why? You can’t put a price on reputational risk. If the aforementioned organization that prioritizes customer information has qualified the assets supporting that priority as their must-haves, they’re likely comfortable with spending more money to protect that information than the information itself is worth. Comparing Your Risk With Your Investment LevelĪn additional step that helps security leaders and managers determine what is acceptable and what is not is comparing your risk with how much you’re willing to invest toward protection. Acceptable risk is a shared decision, and all organizational leaders have shared accountability together to define what risk they can and cannot accept. ![]() For one organization, any resources that help protect customers’ sensitive information may be their must-have, whereas for a smaller business that doesn’t hold sensitive customer information, protecting their financial information may be the top priority.Ĭlearly, the must-haves will suffer less, while the lower half of the should-haves and below will likely be suffering the most.ĭividing assets into these categories should be a joint task with management, where you explain the consequences and let them manage the risk together with you. There are three categories that organizations can divide their resources into when looking to see what risk they should and should not accept: must-haves, should-haves and nice-to-haves. While it’s a complicated process, taking two main steps can point you in the right direction. However, it’s a necessary step that organizations must take, regardless of how much money they’re planning to spend on their security program. Accepting risk is not easy for any organization to do, especially for large, household-name companies that will most certainly show up in headlines if things go south. Step 2: Truly "Accepting" RiskĪlthough we defined and mentioned acceptable risk above, this topic deserves further explanation. This remains true for acceptable risk as well. There is nothing wrong with transferring risk if the company has fully assessed the organizational impacts and agrees on a path forward. ![]() Examples of transferred risk may be hiring a third party to store and manage employee data, credit card information or even security processes. ![]() Transferred risk is risk that is moved to a third party and/or cyber liability insurance. That means there is risk remaining that the organization will have to accept. Acceptable risk is the risk that a company acknowledges and chooses not to resolve, transfer or mitigate.Ĭomplete risk protection is not only impossible but also requires a substantial amount of money and resources that the board usually doesn’t want to pay for. This is the hotly debated category it tends to be CISOs’ greatest anxiety source and the board’s greatest money-saver. Once management has identified how much they’re willing to invest to mitigate risk, security leaders can begin to solve the next two categories. The investments in this category will typically go toward resources that reduce the likelihood or impact of risk. Mitigated risk is defined as what the company has decided to remedy and what management is providing resources to fix. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |