fbpx

Mitigate, Mitigate, Mitigate: There's More Than One Way To Respond To Security Risk

by | Apr 23, 2018 | BLOG, Forbes Coaches, TECHNOLOGY, Trending

Forbes Technology Council Elite CIOs, CTOs & execs offer firsthand insights on tech & business. Opinions expressed by Forbes Contributors are their own.

Post written by

Jason Christopher

Jason is CTO at Axio Global, Inc., a cyber risk optimization firm, where he merges risk management services with enabling technology.

Jason ChristopherJason Christopher ,

Shutterstock

In order for the chief information security officer (CISO) to get that coveted seat at the executive table, the security industry needs to mature. In a previous column, I advise CISOs to look to their equivalent in finance as an example. Security, like finance, must own a piece of the business and talk about it in quantifiable terms. There’s another way the CISO’s thinking needs to mature — and that’s in terms of risk.

There are, historically, four ways to address risk. If security leaders want a seat at the executive table, their approach needs to mature and we need to shift to incorporate all four risk strategies:

1. Risk Acceptance

Let’s call this the “de facto” strategy. Don’t know what to do about the risk? Well, it looks like you’ve accepted it! That’s tongue-in-cheek, of course, but many organizations simply accept elements of cyber risk. Maybe the solution is too costly to manage. Perhaps the risk has been quantified (you are quantifying your risks, right?) and viewed as a minimal impact. There may be some situations where you simply accept the risk involved.

2. Risk Tolerance

Tolerating risk is normally a stepping stone to something more permanent. As the name implies, the organization has identified the risk but not fully accepted it. Tolerating a risk may happen when the solution is planned in a future project or may be a temporary state.

3. Risk Transfer

This approach involves passing risk onto another entity, typically an insurance company. Unfortunately, insurance is often seen by security folks as an admission of failure or a worthless control. The reality is that every other part of the business has insurance. Companies take out insurance in case of fire, employee injuries and regulatory fines. They even, in some cases, insure their executives in case someone gets kidnapped. Chief financial officers (CFOs) take out business interruption coverage to recoup costs. Security leaders don’t have that same conversation about cyber insurance, even though it’s an accepted concept throughout risk management. That brings us finally, to …

Page 1 / 2