Security is a complex and challenging problem. Often when talking to business leaders, the question raised is “How do I know this improvement, this investment, will help prevent the thing I’m worried about, lower my risk, prevent a successful attack?”.
1. When we conduct our security program gap assessments, we include some light weight risk modelling to help a company identify their top risks, so we can map the gaps in the program against the risks they are most concerned with. Better anti-malware will help against Ransomware. Improved employee security awareness training will help reduce the risk of successful phishing attacks and business email fraud. Improved security monitoring will help identify early threats to your cloud environment and detect and prevent data breaches.
2. Then, the next step, which we will do with clients as a Risk Register exercise, is to develop an understanding of the relative probability and impact of the different types of risks. Based on the controls, policies, state of the industry – how likely are you to be targeted by business email fraud attacks this year? If one is successful, what is the likely financial impact to your business.
We like to break down risks along two vectors – probability – how likely an event is to occur in a given year, and impact – measured in relative terms compared to an organization’s annual turnover. With the combination of these factors, we can prioritize the risks most important to the business, and the elements uncovered in the gap assessment give us a roadmap on how to proceed and lower these risks over time.
💡After all, a business is much better off spending its limited funding and time dealing with risks that are high probability and high impact than those which could easily be shrugged off by the company, and occur only rarely.
This framework – identify the risks, map to probability and impact, build a roadmap based on gaps, controls, policies – is the core of an effectively focused and executed security program.
Reach out today if you’d like help measuring, prioritizing and addressing your security risks.
