I’ve always been troubled with the idea of how to provide valuable cybersecurity services without selling fear. I don’t want to be a fear monger.
The answer is to sell logic.
There is logic and there emotion. Often times we default to emotion when we don’t know the logic.
But identifying and measuring logic for cybersecurity risks can be difficult and it takes time. Often we want to get to the solution without measuring the problem.
The way to measure cybersecurity needs is to measure risk and measure risk appetite. Cybersecurity services should provide a bridge between these two logical waypoints. If the waypoints are not quantitatively identified, the solution is often just a mix of things that appeal to emotion in attempts to remove fear.
So how do you measure risk? This is an age-old question that sounds easier than it is. In brief, we identify assets, assign values and then identify threats and vulnerabilities and compute them into a formula that gives us some value of risk.
Risk = Impact x opportunity / Cost
The process of performing a ‘risk assessment’ has often been misunderstood and even more often misvalued. The idea of a risk assessment has been leveraged by companies selling security ‘products’ to offer this service for FREE to assess what products they can sell.
We sell a risk assessment service. Most companies don’t want it. I don’t blame them. When you don’t know the value of it, and what problem it solves, and in addition, there are ‘free’ ones being offered why would you pay for one?
Story:
I approached a local business and offered to help them mature their cybersecurity program. They shared some specific security pains they were having. As the conversation progressed they opened up more and more about issues and had many questions that I considered ‘scattered’, meaning they were not focused on one area or technology. I offered to provide some free written recommendations on the initial pain points and if they found them valuable I could help them evaluate tools, or provide process improvements. I then recommended a risk assessment. At this time the risk assessment cost about $6,000. They informed me they didn’t need one because another company had provided one for them. When I asked what the top three recommendations from their risk assessment were, they shared; firewall, antivirus, and a new email software suite. Let me be clear, they recommended specific brands and models, and versions of these solutions. This was a red flag, as the output of a risk assessment shouldn’t be products, especially specific ones. Sometimes when I get concerned, I get quiet. I need to think and process and never want to show an emotion that might make a client feel stupid or shameful. Once I bit down on my thoughts, I asked, “Do you mind me asking how much you were charged for this risk assessment?”
“It was free.” They said it in a way that emphasized ‘free’ and I felt like it was meant to make me feel stupid that I would even consider charging this much.
Instead of judging them, I set aside my pride and considered the idea of how great it might be to provide local businesses with free security assessments. I mean if they find it valuable, then maybe it is a good thing. Why should this service be restricted to only those who can afford one performed by a good professional? Curious about how this free assessment improved the companies security posture I finally asked, “When was this assessment performed?”
“Three years ago.”
“How many of the recommendations have you been able to remediate?”
“I think we bought a new firewall, so one.”
Ouch. The truth is, they liked ‘free’ but they did not value it.
People value things more when they are invested. This free assessment had only driven one change, and that was a purchase, no evidence of any actual security improvements. That firewall purchase cost over five times the cost of a risk assessment and there was no measurable change in their risk. But they had no problem buying the firewall.
I understand. I really do. If I was a doctor and you had a horrible disease and I offered a life process improvement plan, or a pill, the pill is always easier.
A paid security assessment would have provided them a non-biased, risk-focused perspective of where their biggest risk was. It would have given them clear, actionable plans on how to reduce risk over time. It could have helped them forecast labor and tools and plan the budget. It would have provided them with the peace of knowing what work they were capable of doing was the most right work. It would have given them the confidence they were doing the most right thing. A paid risk assessment would have provided a written report from an outside, third party, non-bias perspective they could provide to leadership, and the board of directors, to get agreeance from top down where the risk reduction efforts should be focused.
When a business does value identifying their risk and makes it a business driver to reduce the risk, a qualified risk assessment provides an incredible value.
Determining risk is only one part of actually deciding on the risk reduction efforts. The decision on risk reduction efforts drives resources, labor, and budget.
To determine risk reduction efforts a risk assessment should be paired with determining the companies risk appetite.
The risk assessment is driven by the security consultant, and supported by the business.
The risk appetite decision is driven by the business and supported by the security consultant.
Risk Appetite is a business decision on what level of risk they are comfortable accepting and managing.
Our goal as cybersecurity professionals is not to remove risk. Risk isn’t a bad thing. Our goal is to help companies reduce their risk to an acceptable level. This requires the identification of risk appetite.
How can a business identify their risk appetite?
The first thing to state is that how a company determines the level of risk that is acceptable is broader than just cybersecurity. Risk appetite’s span the whole business and all their decisions, not just security. Larger companies will even have a dedicated risk officer role that helps determine this level and engages in business conversations that involve risk.
Without this role, the best thing to do is socialize risk. Bring it up and talk about it around the table at business meetings. Get the juices flowing so that people begin to think about it and conceptualize what it looks like for your unique business.
The next thing you can do is talk to other companies in your industry about their risk appetites. Ask if they’ve formalized any statements about it. Often times businesses will publish a statement, or multiple, about their appetite for risk in their company policy. This is becoming more popular and some predict will even become a regulated standard to have a statement about your company’s risk appetite.
Lastly, remember that just as a food appetite changes, so can a risk appetite. Your company’s position on risk can change frequently and doesn’t have to remain static and set in stone.
Having some kind of risk appetite decision will not only enable your business to move faster, but it will complement the cybersecurity initiatives by providing an overly on the risk assessment.
When a risk assessment and the risk appetite are used together it provides a clear picture to all stakeholders what the cybersecurity priorities and initiatives should be. These can be then be built into a project preplanning to gather requirements and cost estimates. After these requirements and costs are gathered a final ‘go’ or ‘no go’ decision can be made when the cost is compared to risk reduction estimates. If approved, the cost projections should be added to the budget and the right people should be brought to the planning table.
We’d be honored to have a place at that table, or help with enabling your business through conducting a non-bias risk assessment.
Example Risk Appetite Statements
Here are some example risk appetite statements
Micro Engineering Corp has no appetite for safety risks that could result in injury or harm to workers. All appropriate safely processes and standards should be followed at all times.
Jet Stream Manufacturing is willing to accept risks that may result in some financial loss. The financial loss should be reviewed by the company’s offices and should not exceed the amounts outlined.
Metco Financial tolerates limited risk on financial decisions and investments. It also works to achieve a lower risk appetite for cyber threats and cyber risks.
Recent Comments