Strategising cybersecurity: Why a risk-based approach is key

By 2027, cybercrime could cost the global economy nearly $24 trillion. Businesses often find themselves at the sharp end of this challenge, and, as such, cybersecurity is a critical aspect of the modern business landscape. Cyber threats are multiplying and pose serious financial, legal and reputational challenges to organizations.

Modern and effective cybersecurity management entails more than managing technology risk; it encompasses managing business risk. Organizations must recognise cybersecurity as a strategic imperative integrated into their overall risk management framework — and this can be done at the board level.

Boards can set an organization's risk appetite, oversee risk management processes, allocate resources and ensure preparedness to respond to cyber threats. They can ensure accurate and timely reporting from management on risks and incidents as part of their broader role in managing risk.

Senior and executive management must understand that organizations can adopt two main approaches to enhance cybersecurity: maturity-based and risk-based.

Organizations widely use the maturity-based approach to enhance their cybersecurity posture. It involves adopting a set of industry-established best practices or standards to achieve a higher level of cybersecurity maturity. It does, however, have limitations.

It relies heavily on subjective assessments that can be influenced by factors such as communication skills, bias and experience of the assessor. Also, achieving a specific level of maturity does not guarantee protection from cyber threats and may create a false sense of security. The maturity-based approach may not adequately address an organization's unique risk profile, leaving them vulnerable to targeted attacks. It can be resource-intensive, diverting resources from other cybersecurity activities.

The risk-based approach to cybersecurity is flexible and customisable to meet an organization's specific needs and risks. It emphasises the identification and prioritisation of the most critical cybersecurity risks, followed by the application of controls to mitigate them. This approach involves continuous monitoring and reassessment to ensure that controls remain effective and relevant in the face of ever-evolving cyber threats.

It is effective because it allows organizations to align their cybersecurity strategy with their unique risk profile, enabling them to focus on the most significant threats and vulnerabilities. This approach also promotes a proactive cybersecurity culture by continuously evaluating and addressing risks, minimising the impact of cyber incidents. As a result, organizations can make informed decisions about where to allocate their cybersecurity resources and prioritise cybersecurity efforts based on their most critical assets and vulnerabilities.

Organizations can use risk quantification methodologies such as quantitative risk analysis and Monte Carlo simulation (i.e. FAIR Model) to measure the potential impact of cyber risks and prioritize risk mitigation efforts.

By incorporating cyber risk quantification into their risk-based approach to cybersecurity, organizations can better understand their cybersecurity risks, prioritise resources and make informed decisions about risk management. This can help them achieve more effective and efficient enterprise-risk management, ultimately improving cybersecurity outcomes.

Quantified cyber risk can be applied in real-life situations to assign a financial value to potential losses from cybersecurity incidents. This helps organizations manage their digital assets and prioritise risk mitigation efforts. It involves evaluating threats and vulnerabilities, and assessing the financial impact of incidents on productivity, legality, reputation and recovery.

Quantified cyber risk enables business leaders to make informed decisions about cybersecurity investments and take proactive measures against cyber threats.

Key Risk Indicators (KRI) provide a snapshot of the current risk level of the enterprise. At the same time, Key Performance Indicators (KPI) indicate the direction towards or away from an enterprise's risk-appetite level. By linking KRIs to KPIs, cybersecurity teams can help executives engage in constructive discussions to identify which risks are within acceptable levels and which require immediate attention. This enables informed decision-making and effective problem-solving at the board level and below.

The risk-based approach is interactive and helps to translate executive decisions about risk reduction into control implementation, ensuring an organization is aligned and working towards a common goal. By implementing controls in a coordinated and strategic way, companies can manage risks more effectively and achieve their desired outcomes.

To implement the risk-based approach successfully, organizations should adopt a comprehensive roadmap that includes conducting a thorough risk assessment, developing KRIs and KPIs that align with their objectives and risk appetite, establishing robust risk management processes and continuously monitoring and evaluating their cybersecurity posture. Technology is crucial in automating and streamlining risk management processes, implementing security controls and tracking KRIs and KPIs in real-time.

Organizations must continuously reassess their cybersecurity strategy as the threat landscape evolves. The maturity-based approach is no longer effective in protecting against modern cyber threats. A risk-based approach helps identify and prioritise risks, meaning a more efficient and effective cybersecurity programme. Investments in employee education and training, and effective risk management, can build a strong security posture that protects assets, reputation and customers from cyber-attacks.

Adopting a risk-based cybersecurity model also confers benefits beyond simply preventing cyber-attacks. It builds resilience and agility, and this method of continuously assessing and adapting makes for more streamlined and competitive organizations more generally.

Cybersecurity is a shared responsibility that requires collaboration from all stakeholders to safeguard organizations. The risk-based approach results in more effective and efficient enterprise-risk management and builds stronger and more secure organizations capable of responding to an evolving cyber risk landscape.

Widespread adoption of the risk-based approach would not only preserve organizations’ reputation, customers and stakeholders — it would create a safer digital ecosystem for all.