Securing the Digital World

Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise

Jun 08, 2016 | by Steve Schlarman |

In April, I wrote two blogs (How Hungry... and Appetite and Exercise) on the concept of risk appetite. I highlighted the fact that organizations must take on risk to drive growth within the business. That risk must be balanced with activities to manage the risk within a tolerance that is acceptable to the organization. Some organizations will be forward leaning and willing to accept more risk or invest heavily in mitigating risks. Other organizations will be more risk adverse. Where your organization sits in this spectrum should be an ongoing dialogue within your risk management strategies.

Today, the convergence of business and digital risk is undeniable. Business growth and technology strategies are intimately connected. For example, expectations of healthcare providers are driving IT innovation in clinical analytics, call centers and connectivity of wearable devices. Financial services companies are constantly pushing boundaries for better customer service. Every industry is seeing this renaissance in how technology fuels business growth. With that connection comes the irrefutable union of risk. While business initiatives seek to create value, risk management efforts seek to protect value. "Value" is the common language that both sides of that equation should understand.

I am pleased to announce a new white paper "Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise". This paper begins our exploration of Cyber Risk expanding beyond the discussion of security threats into the broader dialogue of how technology, risks and sources of exposure affect your organization.

One highlight of the paper is the definition of categories of cyber risk. While the topic of security threats MUST be on the table for all organizations, thinking in broader terms of how technology is fueling your business is also an imperative. The categories include the intersection of Internal or External sources of risk with Malicious or Unintentional motives of threats. This simple quadrant classification gives perspective around the variety of cyber risks your organization faces today and an easy method to organize your efforts.

Ask yourself and your risk management peers to what extent do you believe your organization has a clear understanding of its exposure to cyber risk? Does the organization view cyber risk beyond the headline grabbing data breaches and security threats? At what point does your organization escalate cyber events (breaches, disruption, etc.) to the most significant level? These and other indicators will give you a sense of how cyber risk is perceived and what the appetite level is within your organization. I invite you to read the paper and start the dialogue in your organization around cyber risk appetite.

Read RSA's press release in our newsroom.

Check out the Cyber Risk Appetite microsite for more information.