As someone that tries to watch my diet, I know how hard it is to deal with your own appetite. Several things that are my weakness - fresh bread, cold beer, pizza, the list goes on - are definitely not the best elements for a balanced diet. Most of the time I am able to deal with the urge. However, at times, my appetite gets the better of me and, before I know it, the breadbasket or mug is empty. We all face that gnawing hunger at times. It is inevitable. When it comes to RISK within your organization though, appetite takes on an entire new meaning. Too much risk is like too much pizza. Your organization becomes bloated with risk, the arteries clog and eventually the business will succumb to some bad ending in one way or another. However, if you don't take some risk, your business will lack the nutrients for healthy growth and wither away as your competitors beat you in the market. Maintaining a balanced diet and maintaining a good balance of risk in your business are very similar. Appetite plays a big role in both.
The most burning question within every organization today - regardless of industry, size or geography - is "What's next?" Where is the business going? What will be that growth engine that propels this company to the next level? The next obvious question seems to be "Where does technology fit into the equation?" Every business strategy today, whether it's a new product or service or a new way to connect with customers or a new approach to eek out more efficiencies in your business processes has a technology component. The right combination of technology and business growth strategy can be a powerful propellant for your business. However, each element of that combination has an underlying current of risk. Hence at some point, the conversation of appetite will arise - what is the right balanced diet of risk to drive growth without becoming unhealthy.
This balance hinges on an understanding of the levels of tolerance within the organization. Even without specifically talking about risk appetite, organizations (or the people running those organizations) inherently have some sense of what is acceptable and what is out of bounds. Does your technology organization rush to implement the latest operating systems or versions of applications? What is the lead time it takes to upgrade hardware? Risk appetite and tolerance is woven into operational processes in many ways - it just isn't called out explicitly. In some instances, though, it is very much a part of an operational process such as patching high risk vulnerabilities quickly.
The point is that a Cyber Risk Appetite as a concept is an inherent part of managing technology today. Current security and risk programs must establish a dialogue on appetite and tolerance between technologists and the business. Since today you cannot separate business and technology risk, building a view of what the balanced diet needs to be must cross the entire spectrum of cyber risks. Hence the discussion of Cyber Risk goes beyond the conversation of pure cybersecurity threats. The malicious outsider is a well discussed topic - and rightly so. But for today's executive discussion, the conversation must also include additional elements of cyber risk. The challenge is for the business people to clearly understand where cyber risk plays a role in the business strategies and the technology people to connect the risks to the business to the technology efforts. Connecting these two elements of risk though can be a significant struggle for many organizations.
Establishing your Cyber Risk Appetite is a journey of maturity within the organization. Right now, most likely there is already a sense of what is acceptable and what is not. In some organizations that discourse may be an integral part of your risk approach. If it is not, raising that conversation above the sub-conscious to become a part of the ongoing dialogue between the risk management and business segments of your organization will fuel better decisions as your organization balances out its diet and deals with that gnawing hunger for growth.
Author: Steve Schlarman
Category: Research and Innovation, Blog Post
Keywords: Cyber Risk, Cyber Risk Appetite, Enterprise Security, Risk & Compliance (GRC), Risk Management, Security Management