In the last article, we discussed the Cybersecurity Risk Management (CSRM) framework, its benefits and how to begin implementing your own CSRM program. A CRSM-based cybersecurity program is the most efficient and effective way for your organization to determine what actions to take and, more importantly, what actions not to take.
In this article, we’ll dive a little deeper into the types of actions you can take in a simple-to-understand framework that will give you additional tools to unlock your cybersecurity potential and be sure you’re taking the right action at the right time for the right budget.
When you are faced with a business risk (not just a threat or vulnerability – we’ll discuss that later - but a true business risk) that could create a loss of an important company asset, many people’s first reaction is to put a mitigation in place to reduce the likelihood that the risk will lead to a negative impact.
While that might be the right solution, many organizations fail to consider the broader scope of the risk and all the different options that exist to deal with it. No matter the risk, you should always ask: “How bad can this loss hurt us?”
If the answer is “It can put us out of business”, you should put a high priority on the resolution. If the answer is “It would be an inconvenience” or, more often “It depends” then you must have a framework to think through the problem or risk getting bound up with indecision or inaction.
We’ll talk more about how to quantify your risk and assess risk quickly in future articles. For this article, we’ll dive a little deeper into the four categories of risk disposition from which you can choose:
- Mitigation – Taking steps to reduce the likelihood or impact of the risk
- Avoidance – Taking actions to avoid the activity that gives rise to the risk
- Transference – Taking action to shift risk to another organization
- Acceptance – Actively acknowledging the risk you have and choosing to take no further action at this time.
To illustrate this point, let’s consider a risk most people take every day – and manage without much thought: Driving a car.
When you drive a car, even for short distances, you are at risk of mishap. That mishap could create a financial loss, property loss, reputation loss, and most importantly, loss of life or negative health impact. We all employ a risk framework, largely in our subconscious, to manage this risk.
- Mitigation – Seatbelts
- Avoidance – Don’t drive
- Transference – Insurance
- Acceptance – Roll the Dice
This framework is natural to us. We use it instinctually in many things we do every day.
-1.gif?width=1920&height=1080&name=ICE%20Platform%20Mockup%20-%2003.2025%20(1)-1.gif)
Cybersecurity risk management may seem less natural and more complex, but the framework to decide what to do about risk should feel familiar.
Don’t be fooled. Many manufacturers will tell you that mitigation is the only way to cope with risk because it sells more licenses. When faced with a big purchase or a risk that you feel you must act on, rely on this simple framework and you can’t go wrong.
In future articles, we will dive deeper into the four risk disposition strategies as they relate to cybersecurity and discuss how to rapidly identify and quantify risks to know what to deal with when.
Before you act on any cyber risk, it’s also important to zoom out and consider the context in which that risk exists. What are your business priorities right now? Is your team in the middle of a product launch? A regulatory audit? A funding round? The same technical risk can carry very different weight depending on where your organization stands. That’s why a risk disposition framework is so valuable — it helps you pause, evaluate impact, and align your response with business reality, not just fear or vendor pressure.
Another benefit of clearly defining your risk disposition strategy is resource optimization. When you consistently apply this framework, your team becomes more confident in knowing which issues demand immediate investment and which can be tabled or accepted. Over time, this builds organizational discipline and reduces unnecessary spend — especially on tools or technologies that sound urgent but don’t align with your actual risk posture.
It’s also worth noting that different stakeholders may see risk differently. Your IT team may want to mitigate everything. Your CFO may prefer transference through insurance. Your CEO may lean toward avoidance for anything reputational. Using a shared framework like this creates common language across teams, reduces friction in planning, and ultimately leads to faster, smarter decisions. The more mature your risk management model becomes, the more confident your leadership can be in how security supports your business—not slows it down.
Lastly, remember that risk disposition is not a one-time decision. Business environments shift. Technology evolves. What was an acceptable risk last quarter might now warrant mitigation, or vice versa. That’s why the CSRM model isn’t just a technical exercise—it’s a continuous business practice. By regularly revisiting your risk disposition choices and updating them based on real-world changes, you’re building a security culture that’s agile, informed, and built to last.
Until then, keep up the fight and be secure!