Conventional thinking in cybersecurity tells us to mitigate every risk you can. Almost every vendor will tell you that adding more layers of security will make you safe. They stoke fear and tell you that you must mitigate all risks possible. They will tell you that risk is to be feared and stamped out at all costs.
There is a dirty secret buried in that message:
The vendors that tell you to be afraid will profit from your fear.
To be fair, there are scary threats out there. Hackers, ransomware, fraudsters and even employee mistakes can take your company down and cause great harm. We all must be cognizant of the risks those threats pose to our daily lives, and even our health.
That said, we all must see past that fear to a place of practical action. We cannot mitigate every risk. We cannot spend unlimited funds on cybersecurity. When faced with this apparent dilemma the mountain of potential risks can seem overwhelming.
Embrace your Accepted Risk:
A different approach
When you can see your risks as just another fact of life and not get wrapped up in the hype, you can begin to see past the noise. You accept risk every day. When driving a car, when making a purchase, when simply eating a meal, you accept some level of risk. Think about it – if you drove all risk in your life to zero, you’d never leave your home and you’d live in a bubble.
When you become comfortable with the idea of accepted risk, you can begin to take practical steps to understand your risk and accept what you cannot mitigate.
You can start with 3 simple steps:
Step 1: List the assets of your business.
This should be easy. It’s common sense: Cash, equipment, clients, reputation, in short – anything that adds value to your business or, if impacted, would create a loss.
Step 2: List the threats that could cause you harm.
Include cyber-threats like hackers, ransomware and fraudsters, but also broaden your horizon and think about natural threats like weather, earthquakes, and even political / economic factors. Rank these threats from most concerning to least concerning.
Step 3: List vulnerabilities.
This gets a little more difficult. You might need some tools, staff, consultants or service providers to help. Missing patches, weak passwords, un-secured accounts, mis-configured platforms, weaknesses in SaaS platforms are all examples of vulnerabilities.
Many companies focus on technical vulnerabilities, but don’t leave out business and common-sense vulnerabilities: lack of cash, market position, defensible moat and competitive weaknesses are all examples of non-technical vulnerabilities. Rank these vulnerabilities by severity or likelihood of being exploited.
Know what risks you accept.
Once you have this information at hand, you can start to build your risk acceptance strategy. You will find that some threats are not practical concerns. You will find vulnerabilities that are so un-likely to be exploited or would not create a loss if they were exploited.
You will also hone in on the assets that are most valuable. You will focus on the threats that are most concerning to your business. You will begin to understand the scope of vulnerabilities. You will find that many of these are common sense while some are less obvious.
You will begin to understand your risk threshold — the maximum risk your company can withstand and your risk appetite — the maximum risk you are comfortable with. You will find yourself on a journey that will result in accepting the risks you are comfortable with and focusing on mitigating, transferring or avoiding the risks that you can’t withstand.
From there, you will know you’re spending the right amount on the right risks at the right time.
We’d love to hear from you about your risk acceptance journey.
Let's connect!
