In my last blog post, I posed the concept of Cyber Risk Appetite as something that all organizations need to consider today. I used the analogy of a balanced diet of risk - taking some risks to keep the business growing while avoiding so much risk that the business becomes bloated. The objective is to maintain a healthy business. If I may, I would like to take the analogy one step further. One factor to consider when you look at your own appetite - or intake of food - is how much energy you expend on a daily basis. If you have a tremendous appetite, you can counteract the amount of calories you ingest with a balance of physical activity. Yes, I am talking about exercise. This analogy is a helpful illustration to discuss the "cyber risk appetite" equivalent of exercise.
As your organization implements new technologies, extends to new markets or launches revolutionary business processes, risks will be inherently present. It is unavoidable. Based on your appetite and your risk tolerances, you then determine what you need to do to manage that risk - implement security technologies, modify processes, assign ownership, etc. Your cyber risk appetite will directly impact how much you will need to think through controls. In other words, BIG risk appetite = BIG exercise plans.
The conversation with the business - described in my previous blog - on how technology propels business strategies and what level of cyber risk is tolerable should be followed up with the exercise discussion. Meaning - when the business states we have a big appetite ("we want to move fast and will accept risks"), the response must be then what is your exercise plan? Exercise requires commitment, time, energy, will power and typically some type of equipment. You may not go out and sign up for daily boot camp classes but a willy-nilly exercise plan is not going to cut it if you let your appetite run rampant.
In today's hyper fast market, the business may need to go down a path that make the traditional, risk adverse GRC or security teams cringe. First, that reaction is natural. But more importantly, that instinct is necessary. Without that automatic response, a company can overextend its risks and head down a dangerous path. But once that innate aversion to risk subsides, an organization that understands it takes the effort of exercise to balance out the market drivers driving toward risk can focus on what is prudent to manage that risk and proceed with caution - but proceed nonetheless.
Just like maintaining a balanced diet of risk is necessary to maintain a healthy business, a disciplined exercise strategy is critical for the business to stay fit. Risk and security strategies that result in a coordinated, consistent application of controls throughout the enterprise will ensure that even if the business falls off the wagon and munches on an occasional snack food, there is a safety net of exercise to offset those extra calories.
Author: Steve Schlarman
Category: Research and Innovation, Blog Post
Keywords: Cyber Risk, Cyber Risk Appetite, Enterprise Security, Risk & Compliance (GRC), Risk Management, Security Management