Last Updated on December 22, 2016
In all my years as both an information security manager and a senior-level security advisor, one of the top questions that I have routinely been asked is: “How do I manage risk effectively?” The answer to this question comes down to risk tolerance.
What is Risk?
On the surface, it might seem like managing your business risk is simple: “If you have identified potential risks to your business, you should have a plan or be in the process of developing a plan that will fully address the risk and eliminate it from your environment altogether.”
But if the answer really is that simple, why does the risk management process still rise to the top of every security program’s Top 10 list of concerns? The truth of the matter is that the answer is not that simple…
To understand why, let’s start by looking at the definition of risk. According to Merriam Webster Online, risk is defined as: “The possibility of loss or injury: peril.”
According to ISO, risk is defined as: “The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”
Both definitions reference the potential for harm. The focus of the Webster’s definition is broad and covers loss or injury. The ISO definition focuses on assets or groups of assets. For our purposes, it’s important to understand what information assets that you are protecting. There are many elements to risk: physical, logical, financial, and reputational risk to name a few. How concerned you should be about a particular risk will depend on your organization’s unique risk factors and risk appetite.
How Much Risk Will Your Business Tolerate?
In order to effectively manage risk it’s critical that you define what is (and isn’t) an “acceptable level of risk” (risk appetite) This, in itself, is not difficult to create and is something that a trusted third-party like Pivot Point Security can help you to develop in the context of a formal risk assessment process. Once you have defined your risk tolerance, you can then determine which risks are currently not “acceptable” and create a formal remediation plan to:
- Avoid/resolve the risk (completely eliminate or forego risk)
- Mitigate the risk (reduce the likelihood or impact of risk)
- Transfer the risk (assign or move the risk to a third-party via Cyber Liability Insurance)
- Accept the risk (acknowledge the risk and choose not to resolve, transfer or mitigate)
Some of you are probably looking at those options and wondering: “What? Did you just say I can simply accept risks or transfer them to somebody else?” Well… Yes, I did! As you have built your own risk tolerance model, it is uniquely up to you to determine how each risk should be treated.
Examples of Risk Tolerance in Business
It is perfectly fine to accept or transfer a risk, as long as you have evaluated that risk and the potential impacts to your organization and deemed it to be within your stated tolerance level. To help put this in perspective, I’ll share two real-world scenarios that a couple of my customers have faced.
The first customer was a manufacturer who had identified a potential risk to a small manufacturing segment within their plant operations environment. In order to mitigate the risk, the entire system would need to be upgraded and all of the hardware would need to be replaced. The current systems were older and running an outdated operating system (VMS). But except for the legacy operating system, the manufacturing platform was otherwise healthy and fully operational, with no other dependencies or connections outside of the plant.
The cost to perform the required upgrades would have exceeded $500,000 and would have required operations to be shut down for a minimum of two months. In this scenario, the risk was to the availability of the manufacturing system. The equipment was old and therefore the risk of a failure was increased, but the likelihood of an outage occurring was low and acceptable to the organization. The cost and effort of the remediation greatly exceeded those of a potential outage.
The second customer was looking to implement online payment processing for its customers. Doing so would reduce overhead and increase sales by allowing customers to pay for purchases online with credit/debit cards, as opposed to having to call orders in.
The company estimated that sales revenue would increase by upwards of 65% using online payments. But they would then be liable for all this new credit card information they would be processing. The company consulted with me regarding the PCI requirements and quickly determined that this risk could be transferred by outsourcing payment processing to a third-party payment system. They partnered with a payment solution provider, which eliminated the credit card information from within their environment—and they increased sales a whopping 78% in the first year.
As you can see from these scenarios, a properly executed risk management process is a friend to the business. It’s not a process that attempts to ensure 100% resolution of all risks, but rather to be 100% certain that the organization is aware of the risks surrounding the business, and that a balanced and actionable plan is in place to reduce the threat of loss and financial impact.
Implement Effective Risk Management with Pivot Point
If you would like to discuss in more detail how your organization can build and implement an effective risk management program, please contact Pivot Point Security. We will be happy to discuss our process and how we can help you solve your specific needs.