Last Updated on July 20, 2021
Does your business do any form of cybersecurity risk assessment, formal or informal? When you consider adding technical functionality, do you weigh the risks? Or do you just focus on the benefits?
Dr. Eric Cole, well-known author and Founder/CEO of Secure Anchor Consulting, offers an illuminating, real-world view of risk assessment on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Cybersecurity equals risk
“I am very big on cybersecurity equals risk,” says Eric. “I think one of the big roles of the CISO is to work with the executive team to define what is acceptable risk, because [risk tolerance] is different for different people. You just need to understand for the organization what that is.”
“The other big job of the CISO is to make risk-based thinking a causal part of what everyone does,” Eric continues. “Every manager, every VP, every person who makes a decision should unconsciously be asking, ‘Okay, what is the value and benefit? What is the risk and exposure? Are we willing to take that risk? Are we willing to balance that?’ That has to drive all of our decision-making process.”
Assuming safety is dangerous
This is second nature for most of us in our personal lives. We get in a car or an aircraft, we accept the risk. But because it’s so ingrained in relation to our physical environment, we don’t consciously do it in cyberspace.
“We assume that everything [in cyberspace] is safe by default, which is what’s really dangerous,” observes Eric. “You always need to think about the risk and the benefit in everything you do. Security should formally define what acceptable risk is for the organization, but then it should be an informal part of everyone’s management style and decision-making process.”
If you’re interested in best practices to help balance business benefit with cyber risk/exposure, tune in to this podcast episode with Dr. Eric Cole.